PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-6342 Dahuasecurity CVE debrief

CVE-2017-6342 was published on 2017-02-27 and remains listed by NVD as a critical authentication/privilege issue affecting Dahua DHI-HCVR7216A-S3-related firmware and SmartPSS 1.16.1. According to the CVE description, when SmartPSS is launched and still on the login screen, the software in the background automatically logs in as admin. That behavior can expose sensitive information, including the data identified in CVE-2017-6341, without prior knowledge of the password. NVD maps the issue to CWE-269 and rates it CVSS 3.0 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Vendor
Dahuasecurity
Product
CVE-2017-6342
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-27
Original CVE updated
2026-05-13
Advisory published
2017-02-27
Advisory updated
2026-05-13

Who should care

Administrators and security teams responsible for Dahua DHI-HCVR7216A-S3 devices, associated NVR or camera firmware, and any deployments of SmartPSS 1.16.1. Network defenders should also care if these systems are exposed to untrusted networks or used to access sensitive surveillance data.

Technical summary

The vulnerability is described as an unintended background admin login in SmartPSS during launch, even while the visible interface remains on the login screen. That can let an attacker observe or retrieve sensitive information without authenticating normally. The NVD record lists affected CPEs for Dahua camera firmware 2.400.0000.28.r, NVR firmware 3.210.0001.10, and SmartPSS firmware/software 1.16.1, and classifies the weakness as CWE-269 (improper privilege management).

Defensive priority

Urgent. NVD assigns CVSS 9.8 critical severity, and the issue can be reached without prior authentication according to the record.

Recommended defensive actions

  • Inventory Dahua devices and SmartPSS installations to confirm whether the affected versions are present.
  • Treat SmartPSS systems on the affected versions as sensitive until verified remediated or isolated.
  • Restrict network access to affected surveillance management systems, especially from untrusted segments.
  • Follow vendor remediation guidance and deploy updated firmware/software where available.
  • Review access logs and monitor for unexpected administrative sessions or exposure of surveillance data.
  • Evaluate exposure to related issue CVE-2017-6341, which the description says may be sniffed without knowing the password.

Evidence notes

This debrief is based on the CVE record and NVD metadata supplied in the corpus. The description states that SmartPSS auto-logs in as admin on the login screen and can expose sensitive information from CVE-2017-6341. NVD metadata lists CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and weakness CWE-269, with affected CPEs for Dahua camera firmware 2.400.0000.28.r, NVR firmware 3.210.0001.10, and SmartPSS 1.16.1. The source references include SecurityFocus BID 96454 and a third-party advisory by nullku7.

Official resources

Publicly disclosed and published in the CVE record on 2017-02-27; the supplied NVD metadata was last modified on 2026-05-13. This summary does not add unverified remediation or exploit details beyond the provided corpus.