CVE-2020-9502
📋 TL;DR
Dahua security cameras and other products manufactured before December 2019 have predictable session IDs, allowing attackers to hijack authenticated sessions. This affects all users of vulnerable Dahua devices with default configurations. Attackers can bypass authentication and gain unauthorized access to device controls.
💻 Affected Systems
- Dahua IP cameras
- Dahua NVRs
- Dahua DVRs
- Other Dahua security products
📦 What is this software?
Ipc Hx2xxx Firmware by Dahuasecurity
Ipc Hx5842h Firmware by Dahuasecurity
Ipc Hx7842h Firmware by Dahuasecurity
Ipc Hxxx5x4x Firmware by Dahuasecurity
N42b1p Firmware by Dahuasecurity
N42b2p Firmware by Dahuasecurity
N42b3p Firmware by Dahuasecurity
N52a4p Firmware by Dahuasecurity
N52b2p Firmware by Dahuasecurity
N52b3p Firmware by Dahuasecurity
N52b5p Firmware by Dahuasecurity
N54a4p Firmware by Dahuasecurity
N54b2p Firmware by Dahuasecurity
Ptz1a Firmware by Dahuasecurity
Sd1a Firmware by Dahuasecurity
Sd50 Firmware by Dahuasecurity
Sd52c Firmware by Dahuasecurity
Sd5a Firmware by Dahuasecurity
Sd6al Firmware by Dahuasecurity
⚠️ Risk & Real-World Impact
Worst Case
Complete device takeover allowing camera manipulation, video feed access, configuration changes, and potential lateral movement to connected networks.
Likely Case
Unauthorized access to live video feeds, device settings modification, and surveillance system disruption.
If Mitigated
Limited impact if devices are behind firewalls, not internet-facing, and have network segmentation.
🎯 Exploit Status
Session ID prediction algorithms are publicly documented. Attack requires network access to device web interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware with build time December 2019 or later
Vendor Advisory: https://www.dahuasecurity.com/support/cybersecurity/details/777
Restart Required: Yes
Instructions:
1. Download latest firmware from Dahua support portal. 2. Backup device configuration. 3. Upload firmware via web interface. 4. Reboot device. 5. Verify build date is December 2019 or later.
🔧 Temporary Workarounds
Network segmentation
allIsolate Dahua devices on separate VLAN with strict firewall rules
Access control restrictions
allImplement IP whitelisting and disable unnecessary services
🧯 If You Can't Patch
- Place devices behind VPN with strict authentication
- Disable web interface access from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check device build date in web interface under System Information > Version. If build time is before December 2019, device is vulnerable.Check Version:
No CLI command - check via web interface at System > Information > VersionVerify Fix Applied:
Verify build date shows December 2019 or later after firmware update.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful login with unusual session ID
- Session ID patterns showing predictability
Network Indicators:
- Unusual session ID sequences in HTTP requests
- Authentication bypass attempts to web interface
SIEM Query:
source="dahua-device" AND (event_type="auth" AND result="success" AND session_id MATCHES "predictable_pattern")