CVE-2026-29114
Deferred Deferred - Pending Action

Dahua Products CA Root Certificate Exposure

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: Dahua Technologies

Description
A vulnerability has been found in some Dahua products. An attacker may obtain the device’s CA root certificate. If that CA is installed and trusted on client systems, the attacker could issue fraudulent certificates trusted by those clients and undermine the certificate trust chain.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-30
AI Q&A
2026-06-10
EPSS Evaluated
2026-06-29
NVD
CVE-2026-29114
EUVD
EUVD-2026-35984

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
dahua ipc to 2026-04-15 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-538 The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects some Dahua products where an attacker may obtain the device’s CA root certificate.

If the compromised CA root certificate is installed and trusted on client systems, the attacker could issue fraudulent certificates that those clients would trust.

This undermines the certificate trust chain, potentially allowing malicious activities that rely on trusted certificates.

Impact Analysis

If an attacker obtains the CA root certificate from a vulnerable Dahua device and that certificate is trusted on your client systems, they could create fraudulent certificates.

These fraudulent certificates could be used to impersonate legitimate services or devices, potentially leading to man-in-the-middle attacks or unauthorized access.

However, the vulnerability has a low severity score (CVSS 2.3), indicating the impact might be limited or require specific conditions.

Mitigation Strategies

To mitigate this vulnerability, Dahua recommends downloading the corresponding fix software or updating to the latest version of the affected products.

This applies especially to certain IPC models with build times prior to April 15, 2026.

Compliance Impact

This vulnerability allows an attacker to obtain the device’s CA root certificate, which could enable the issuance of fraudulent certificates trusted by client systems. Such a compromise of the certificate trust chain can undermine the security of communications and data integrity.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the ability to issue fraudulent certificates and compromise trust chains could potentially lead to violations of data protection and security requirements mandated by these regulations.

Organizations relying on affected Dahua products should consider the risk of unauthorized access or data interception due to this vulnerability, which may impact their compliance posture and require remediation to maintain regulatory compliance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29114. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart