PatchSiren cyber security CVE debrief
CVE-2017-6343 Dahuasecurity CVE debrief
CVE-2017-6343 is a high-severity authentication weakness in the web interface of affected Dahua DHI-HCVR7216A-S3 devices and related firmware/software. According to NVD, a remote attacker who knows the MD5 Admin Hash may obtain login access without knowing the password. The issue is classified as CWE-287 and is distinct from CVE-2013-6117.
- Vendor
- Dahuasecurity
- Product
- CVE-2017-6343
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-27
- Advisory updated
- 2026-05-13
Who should care
Organizations using Dahua DHI-HCVR7216A-S3 devices, the listed NVR firmware, camera firmware, or SmartPSS software should treat this as an access-control issue that can expose management interfaces to unauthorized login attempts. It is especially relevant where the web interface is reachable from untrusted networks.
Technical summary
The NVD record describes a web interface authentication bypass affecting Dahua DHI-HCVR7216A-S3 devices with NVR Firmware 3.210.0001.10, Camera Firmware 2.400.0000.28.R, and SmartPSS Software 1.16.1. The vulnerability is summarized as remote attackers being able to obtain login access by leveraging knowledge of the MD5 Admin Hash without knowledge of the corresponding password. NVD lists the weakness as CWE-287 and the CVSS vector as CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H.
Defensive priority
High. The issue can lead to unauthorized administrative access over the network, so exposure of the management interface should be treated as urgent to review and reduce.
Recommended defensive actions
- Identify whether any exposed systems match the affected Dahua model, firmware, or SmartPSS versions listed in the NVD record.
- Apply vendor-provided updates or replacements if available for the affected versions.
- Restrict access to the web interface to trusted management networks only.
- Remove internet exposure of device management interfaces where possible.
- Review authentication logs for unexpected or unauthorized logins.
- Reset and rotate administrative credentials and related access controls as part of remediation planning.
Evidence notes
The description in the supplied NVD-derived record states that the web interface on Dahua DHI-HCVR7216A-S3 devices with NVR Firmware 3.210.0001.10, Camera Firmware 2.400.0000.28.R, and SmartPSS Software 1.16.1 allows remote attackers to obtain login access by leveraging knowledge of the MD5 Admin Hash without knowing the password, and that it is a different vulnerability than CVE-2013-6117. NVD also lists CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H and CWE-287. The supplied source corpus does not include an official vendor remediation notice, so recommended actions are limited to defensive containment and standard patch-management steps.
Official resources
-
CVE-2017-6343 CVE record
CVE.org
-
CVE-2017-6343 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
CVE published: 2017-02-27T07:59:00.440Z. Source and CVE modified: 2026-05-13T00:24:29.033Z. No KEV entry is listed in the supplied data.