CVE-2017-6341 Dahuasecurity CVE debrief

Who should care

Organizations running the listed Dahua NVR, camera firmware, or SmartPSS versions should care, especially if devices are reachable over untrusted networks or traffic can be observed by other hosts on the same segment.

Technical summary

NVD maps this issue to CVSS v3.0 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N and CWE-319. The vulnerable behavior is that passwords are sent in cleartext in responses associated with the Web Page, Mobile Application, and Desktop Application interfaces. The practical risk is credential disclosure to a network attacker capable of sniffing traffic. The affected CPE entries in the record include Dahua camera firmware 2.400.0000.28.R, NVR firmware 3.210.0001.10, and SmartPSS 1.16.1.

Defensive priority

Medium. Credential exposure is serious because captured passwords can be reused, but the NVD vector indicates no direct integrity or availability impact and requires network sniffing conditions.

Recommended defensive actions

• Identify whether any Dahua devices or SmartPSS installations match the affected versions listed in NVD.
• Apply vendor-provided updates or replacements for the affected firmware/software where available.
• Treat credentials that may have traversed these interfaces as potentially exposed and rotate them if exposure is suspected.
• Limit management-plane access to trusted networks and administrative hosts only.
• Monitor for unexpected authentication attempts or reuse of compromised credentials.
• Avoid exposing these interfaces across networks where passive sniffing is possible.

Evidence notes

This debrief is grounded in the supplied NVD record and referenced advisories. The NVD metadata explicitly lists the affected Dahua firmware/software versions, the CVSS v3.0 vector, and CWE-319. The source corpus also links third-party advisories from SecurityFocus, nullku7’s write-up, and a related Twitter post. No exploit code or reproduction details were used.

Official resources