Description
A vulnerability has been found in some Dahua products. An attacker
may obtain the device’s CA root certificate. If that CA is installed and
trusted on client systems, the attacker could issue fraudulent certificates
trusted by those clients and undermine the certificate trust chain.
Published: 2026-06-10
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Dahua IPC cameras allows extraction of the device’s CA root certificate. If an attacker obtains this certificate and installs it in a client system’s trust store, certificates signed by that CA will be treated as legitimate, effectively compromising the certificate trust chain. The weakness is a certificate disclosure flaw, classified under CWE‑538.

Affected Systems

The advisory mentions Dahua IPC cameras. No specific firmware versions are identified, so users should verify whether their cameras belong to the affected line and consult the vendor for any patch or firmware update.

Risk and Exploitability

The CVSS score of 2.3 indicates low overall impact. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires the attacker to first extract the CA certificate from the device; once this certificate is trusted by a client, an attacker could sign certificates that the client would accept. While no public exploit has been reported, any environment that automatically trusts certificates from Dahua devices is potentially at risk until a vendor fix is released.

Generated by OpenCVE AI on June 10, 2026 at 07:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Remove or distrust the Dahua device’s CA root certificate from any client trust stores unless absolutely required.
  • Restrict network access to Dahua IPC devices to reduce the chance of certificate extraction, such as by moving them to a separate VLAN or applying access control lists.
  • Monitor Dahua’s security advisories and apply any firmware update that removes or replaces the CA root certificate when it becomes available.
  • Implement certificate pinning on client applications that connect to the cameras to enforce that only trusted commercial certificates are accepted.

Generated by OpenCVE AI on June 10, 2026 at 07:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
Title Public Disclosure of Dahua IPC CA Root Certificate Enables Fake Trusted Certificates

Wed, 10 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Dahua
Dahua ipc
Vendors & Products Dahua
Dahua ipc

Wed, 10 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in some Dahua products. An attacker may obtain the device’s CA root certificate. If that CA is installed and trusted on client systems, the attacker could issue fraudulent certificates trusted by those clients and undermine the certificate trust chain.
Weaknesses CWE-538
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Dahua Ipc
cve-icon MITRE

Status: PUBLISHED

Assigner: dahua

Published:

Updated: 2026-06-10T05:44:50.397Z

Reserved: 2026-03-04T03:32:28.880Z

Link: CVE-2026-29114

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T07:16:24.890

Modified: 2026-06-10T07:16:24.890

Link: CVE-2026-29114

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T08:00:12Z

Weaknesses