Predictable Session ID Vulnerability in Dahua Products
CVE-2020-9502

9.8CRITICAL

Key Information:

Vendor: Dahuasecurity
Status: Ipc-hx2xxx Series,ipc-hxxx5x4x Series,ipc-hx5842h,ipc-hx7842h,nvr 5x Series,nvr 4x Series,sd6al Series,sd5a Series,sd1a Series,ptz1a Series,sd50/52c Series,ipc-hfw1431s
Vendor: CVE Published:; 13 May 2020

🔔 Create Dahuasecurity Vulnerability Alert

What is CVE-2020-9502?

Certain Dahua security devices, manufactured before December 2019, exhibit a predictable Session ID vulnerability. This flaw allows attackers to exploit predictable session identifiers during normal user interactions, enabling unauthorized access to sensitive device data by constructing crafted data packets. This vulnerability underscores the necessity for users to ensure their systems are updated and secured against such predictable attacks.

Affected Version(s)

IPC-HX2XXX Series,IPC-HXXX5X4X Series,IPC-HX5842H,IPC-HX7842H,NVR 5x Series,NVR 4x Series,SD6AL Series,SD5A Series,SD1A Series,PTZ1A Series,SD50/52C Series,IPC-HFW1431S Versions which Build time before December,2019

References

https://www.dahuasecurity.com/support/cybersecurity/detai...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2020
Vulnerability Reserved
Mar 1, 2020

CVE-2020-9502 Data

JSON