Hacked DAHUA cam and added that names

[TIGOS1]

yeah the major vulnerabilities that allows this is to happen is CVE-2025-31702 and CVE-2021-33044/CVE-2021-33045 , seen how its done so i know, TIGOS idea of creating accounts using those trolls accounts is good if you want to still use p2p, might be wort a shot.

I've also seen many videos of how this vulnerability is exploited.
Found a way to check if my camera is vulnerable to these vulnerabilities.
( GitHub - umair-aziz025/dahua-cve-research: Dahua IP camera CVE research toolkit (CVE-2021-33044/33045, CVE-2025-31700/31701) )

But that's all just theory.

Haven't seen a freely available app for hacking this kind of device yet.
Actually, to my delight.
Because immediately there will be a ton of hacks everywhere.

 

[comets]

Haven't seen a freely available app for hacking this kind of device yet.
Actually, to my delight.
Because immediately there will be a ton of hacks everywhere.

unfortunately tools have been made and being sold on telegram channels, one of which was forked using this on github, i saw a demo posted by a seller who showed it could hack quite a few so yeah the threat is real and could affect a majority of cams that have not been updated after 2024

 

[Darker]

I found this thread when searching for "dahua", "oldworld", "newworld" on Google and it seems one of my devices has been "hacked".

But I still don't know how and when, but the first thing to mention is:
No new user ACCOUNTS have been created, only two user GROUPS named "oldworld" and "newworld".
The admin accounts password has not been changed, no other accounts exists. It contained Uppercase, lowercase, special characters, 8 chars long.

On this network I use the same router from the beginning (FritzBox 7590) which has always been up to date.
I never used UPnP or a single Port Forwarding on the router. I deactived all those features on my cams.
I only used P2P for some hours on my VTO2000A to test the app to see who is at my door and decided I don't need this.

Cam Model is a IPC-HDBW1320E-W
System Version 2.400.0000000.16.R, Build Date: 2017-08-31
WEB Version 3.2.1.490211
ONVIF Version 16.12(V2.3.1.458331)

Rather old, firmware was already installed when shipping and no newer version was found at any time.

My questions here are:
How the heck could someone manipulate the camera when it was not reachable from the outside at any tme?
Was P2P/Easy4ip enabled by default when shipping and they broke in while I configured the cam and turned it off?
Why did they create two user groups but no account?

I checked a camera of the same type on my network, but no additional users or groups where there.
No strings where added to the Label setting or somewhere else.

The cameras monitor uncritical outdoor areas.
Any ideas what I should check for?

The only (somewhat) suspicious entry in the log is:

1025

2024-10-15 20:57:00

System

Lock Account

All other log entries are from 2026, two weekly auto-reboots:

704	2026-06-20 04:37:47	System	Save Configuration
705	2026-06-20 04:37:47	System	Event Begin
706	2026-06-20 04:37:47	System	Event Begin
707	2026-06-20 04:37:46	System	Start up
708	2026-06-20 04:37:46	System	Auto Maintain
709	2026-06-20 04:37:00	System	Reboot

And a lot of "Event begin", "Event ends" which is either motion detection from trees in the wind or wifi disconnects/reconnects.

Any suggestions?