Dahua Login Bypass with CVE-2021-33044 and CVE-2021-33045

Chrome extension that uses vulnerability CVE-2021-33044 to log in to Dahua IP cameras and VTH/VTO (video intercom) devices without authentication.
For other device types (NVR/DVR/XVR, etc), there exists CVE-2021-33045 which cannot be exploited with an ordinary web browser.
These vulnerabilities are likely to be fixed in firmware released after Sept 2021.
Credit for discovering the vulnerabilities: bashis
Chrom extension by: bp2008


Download the .zip file from the releases section.

  1. Extract the folder from this zip somewhere.
  2. Go to chrome’s extensions page ( chrome://extensions ).
  3. Enable the Developer mode option at the top right.
  4. Click Load unpacked and choose the DahuaLoginBypass folder you extracted.

Usage Instructions

Go to the login page of a Dahua IP camera and click the extension’s icon ( key) to the right of your address bar. This should add a panel with a new button for you to use:

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x