CPATH-2026-0030 · GENERAL IOT

Dahua IP camera / VTH / VTO authentication bypass (CVE-2021-33044)

Provisional. Candidate score (CFSE Consequence Paths 1.0-candidate); pending independent review. Treat as a structured second opinion, not a final rating.

Paths EMERGENCY Dominant consequence DEVICE_CONTROL_SAFETY Physical/safety · Evidence EV:2 (report-backed) · Liveness PATCH_AVAILABLE

CPATH ID	`CPATH-2026-0030`
CVE(s)	CVE-2021-33044, CVE-2021-33045
Device / class	Dahua IP camera / VTH / VTO authentication bypass (CVE-2021-33044) (GENERAL IOT)
Vendor	Dahua
Dominant consequence	`DEVICE_CONTROL_SAFETY` (Physical/safety)
Paths verdict	EMERGENCY (worst of 3 paths)
Published baseline	v3.1 9.8 CRITICAL `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` · NVD / CNA via NVD (CVE-2021-33044) v3.1 9.8 CRITICAL `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` · NVD / CNA via NVD (CVE-2021-33045)
Baseline relationship	▼ Paths higher
Consequence dimension(s)	#1 #2 #7 (what these mean)
Scored	2026-06-03 · CFSE Consequence Paths v1.0-candidate · validation: provisional
Baseline confidence	high

Consequence Paths

Paths Assessment

Physical/safety

`DEVICE_CONTROL_SAFETY`

EMERGENCY

Reachability RE:4

Complexity EC:4

Consequence DEVICE_CONTROL_SAFETY

Scale SR:4 / SX:4

Verdict EMERGENCY

Reachability 4

Complexity 4

Exposure 4

Physical / safety 3

Data / perception 3

Authority 3

Chainability 4

Reuse scale 4

Execution scale 4

Recovery 3

Evidence EV:2 · report-backed

Liveness PATCH_AVAILABLE

Vector

CPATH:1.0-candidate/TT:DEVICE_CONTROL_SAFETY/RE:4/EC:4/EX:4/PH:3/DP:3/AT:3/CH:4/SR:4/SX:4/OR:3/EV:2/LS:PATCH_AVAILABLE

authority

`ACCOUNT_AUTHORITY`

EMERGENCY

Reachability RE:4

Complexity EC:4

Consequence ACCOUNT_AUTHORITY

Scale SR:4 / SX:4

Verdict EMERGENCY

Reachability 4

Complexity 4

Exposure 4

Physical / safety 3

Data / perception 3

Authority 3

Chainability 4

Reuse scale 4

Execution scale 4

Recovery 3

Evidence EV:4 · field-confirmed

Liveness PATCH_AVAILABLE

Vector

CPATH:1.0-candidate/TT:ACCOUNT_AUTHORITY/RE:4/EC:4/EX:4/PH:3/DP:3/AT:3/CH:4/SR:4/SX:4/OR:3/EV:4/LS:PATCH_AVAILABLE

perception

`PERCEPTION_PRIVACY`

CRITICAL

Reachability RE:4

Complexity EC:4

Consequence PERCEPTION_PRIVACY

Scale SR:4 / SX:4

Verdict CRITICAL

Reachability 4

Complexity 4

Exposure 4

Physical / safety 3

Data / perception 4

Authority 2

Chainability 3

Reuse scale 4

Execution scale 4

Recovery 3

Evidence EV:4 · field-confirmed

Liveness PATCH_AVAILABLE

Vector

CPATH:1.0-candidate/TT:PERCEPTION_PRIVACY/RE:4/EC:4/EX:4/PH:3/DP:4/AT:2/CH:3/SR:4/SX:4/OR:3/EV:4/LS:PATCH_AVAILABLE

Assessment

CFSE Consequence Paths assesses Dahua IP camera / VTH / VTO authentication bypass (CVE-2021-33044) at EMERGENCY — the worst of 3 risk paths (safety, authority, perception). The dominant consequence is influence over a safety-relevant actuation.

Vulnerability

Dahua IP camera / VTH / VTO authentication bypass (CVE-2021-33044). Reported attack vector: Network (remote, unauthenticated crafted login packet).

CFSE Consequence Paths analysis

The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.

`DEVICE_CONTROL_SAFETY` → EMERGENCY

CPATH:1.0-candidate/TT:DEVICE_CONTROL_SAFETY/RE:4/EC:4/EX:4/PH:3/DP:3/AT:3/CH:4/SR:4/SX:4/OR:3/EV:2/LS:PATCH_AVAILABLE

Exposure EX=4 (reachability and complexity-bound) · bands PH=CRITICAL · DP=CRITICAL · AT=CRITICAL → base CRITICAL · uplift active exploitation, fleet-reachable authority → assessed EMERGENCY.

On affected VTO door stations/intercoms, admin control can drive door-release / building access functions and disable surveillance, yielding physical-security impact. RE:4 network-reachable login. EC:4 single crafted packet. AT:3 admin authority over device functions including actuation/config (not trust-root). PH:3 unauthorized door release and disabled monitoring reduce physical-security safety margin enabling unauthorized building entry; not credible direct bodily injury so not 4. DP:3 access-control/op-state.
perception_feeds_action — true: suppressing surveillance and controlling access manipulates the security-relevant reality humans act on. CH:4 cross-domain network->device->physical access-control bridge. SR:4 reusable bypass across door-station models. SX:4 fleet-scale remote reach to any exposed VTO. OR:3 patch plus reset. EV:2 report/model-backed for the door-release physical path specifically (the CVE is field-confirmed for takeover, but VTO door-release impact is product-line-inferred rather than separately field-demonstrated);
active_exploitation — false for this specific physical-control consequence.

`ACCOUNT_AUTHORITY` → EMERGENCY

CPATH:1.0-candidate/TT:ACCOUNT_AUTHORITY/RE:4/EC:4/EX:4/PH:3/DP:3/AT:3/CH:4/SR:4/SX:4/OR:3/EV:4/LS:PATCH_AVAILABLE

Unauthenticated remote crafted login packet with the NetKeyboard type argument fully bypasses auth and grants admin-equivalent device access. RE:4 internet/network-reachable login port, AV:N. EC:4 single crafted packet, no creds, public PoCs/Nuclei templates. AT:3 admin/service authority to change config and issue commands (not a signing/OTA root, so not 4). DP:3 admin access exposes firmware/config/sensitive op-state. CH:4 reusable cross-domain bridge: app/network -> device admin -> config/feed/physical, and same technique pivots botnet enrollment. SR:4 single technique reusable across a large multi-model fleet (shared bypass logic). SX:4 fleet/internet-wide remote exploitation without per-device access; mass-scanned. OR:3 firmware update plus reset/credential rotation, no fleet signing-root rotation. EV:4 field-confirmed, CISA KEV exploited in the wild.

`PERCEPTION_PRIVACY` → CRITICAL

CPATH:1.0-candidate/TT:PERCEPTION_PRIVACY/RE:4/EC:4/EX:4/PH:3/DP:4/AT:2/CH:3/SR:4/SX:4/OR:3/EV:4/LS:PATCH_AVAILABLE

Exposure EX=4 (reachability and complexity-bound) · bands PH=CRITICAL · DP=CRITICAL · AT=CRITICAL → base CRITICAL · uplift active exploitation · caps privacy-only cap → assessed CRITICAL.

Post-bypass the attacker accesses live and recorded video/audio from cameras/VTH/VTO and can suppress monitoring. RE:4 network-reachable. EC:4 trivial once positioned (same single-packet bypass). AT:2 bounded to feed/monitoring access from the device session. PH:1 nuisance privacy intrusion, no direct injury. DP:4 live-camera and audio perception state (surveillance feed).
perception_feeds_action — false: the video is human-monitoring/recording, not driving an automated physical/safety actuation loop here. CH:3 crosses device->observer/cloud boundary, enables stalking/recon. SR:4 reusable across the fleet. SX:4 internet-wide mass access without per-device physical reach. OR:3 firmware patch and device reset. EV:4 field-confirmed KEV.

Published baseline

v3.1 9.8 CRITICAL — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — NVD / CNA via NVD (CVE-2021-33044)
v3.1 9.8 CRITICAL — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — NVD / CNA via NVD (CVE-2021-33045)

The published baseline above is retained for source review. The registry records the reachable consequence path, including deployment-specific cyber-physical consequence, physical/safety impact, scale, and recovery burden.

Sources

Score it yourself in the calculator Review this score

Cite this entry:

CFSE Consequence Paths Registry v1.0-candidate, entry CPATH-2026-0030 (“Dahua IP camera / VTH / VTO authentication bypass (CVE-2021-33044)”), paths.cfse.ai/CPATH-2026-0030 (published 2026-06-03).

Dahua IP camera / VTH / VTO authentication bypass (CVE-2021-33044)

Paths Assessment

Assessment

Vulnerability

CFSE Consequence Paths analysis

DEVICE_CONTROL_SAFETY → EMERGENCY

ACCOUNT_AUTHORITY → EMERGENCY

PERCEPTION_PRIVACY → CRITICAL

Published baseline

Sources

`DEVICE_CONTROL_SAFETY` → EMERGENCY

`ACCOUNT_AUTHORITY` → EMERGENCY

`PERCEPTION_PRIVACY` → CRITICAL