Path Traversal Vulnerability in Dahua Smart Park Integrated Management Platform
CVE-2023-7309

10CRITICAL

Key Information:

Vendor

Zhejiang Dahua Technology Co., Ltd.

Status
Smart Park Integrated Management Platform
Vendor
CVE Published:
27 August 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2023-7309?

A significant vulnerability has been identified in the Dahua Smart Park Integrated Management Platform, where an exploitable path traversal flaw exists in the SOAP-based GIS bitmap upload feature. This vulnerability enables unauthenticated remote attackers to send specially crafted SOAP requests, allowing them to upload malicious files, including executable JSP payloads, to the server. If exploited, this could lead to unauthorized remote code execution and potential full system compromise. Users are urged to update to the latest software versions released after September 2023 to mitigate this risk.

Affected Version(s)

Smart Park Integrated Management Platform *

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-7309 - Proof of Concept

CVE-2023-7309 - Proof of Concept

References

https://support.dahuatech.com/bulletin/info?IsDpValue=hJV...
vendor-advisory
https://developer.aliyun.com/article/1333161
technical-descriptionexploit
https://github.com/tequilasunsh1ne/dahua_bitmap_fileupload
exploit

CVSS V4

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Li Huohuo
.
CVE-2023-7309 : Path Traversal Vulnerability in Dahua Smart Park Integrated Management Platform