CVE-2025-34059

N/A Unknown

Published: July 01, 2025 Modified: November 20, 2025

Description

An SQL injection vulnerability exists in the Dahua Smart Cloud Gateway Registration Management Platform via the username parameter in the /index.php/User/doLogin endpoint. The application fails to properly sanitize user input, allowing unauthenticated attackers to inject arbitrary SQL statements and potentially disclose sensitive information. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://pentest-tools.com/vulnerabilities-exploits/zhejiang-dahua-smart-cloud-gateway-registration-platform-sql-injection-cnvd-2024-38747_23762

Source: disclosure@vulncheck.com

https://vulncheck.com/advisories/dahua-smart-cloud-gateway-sql-injection

Source: disclosure@vulncheck.com

https://www.cnblogs.com/LeouMaster/p/18509644

Source: disclosure@vulncheck.com

https://www.cnvd.org.cn/flaw/show/CNVD-2024-38747

Source: disclosure@vulncheck.com

https://www.dahuatech.com/

Source: disclosure@vulncheck.com

5 reference(s) from NVD

Quick Stats

CVSS v3 Score

N/A / 10.0

EPSS (Exploit Probability)

0.2%

36th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-89 CWE-200

Related CVEs

CVE-2026-0824 3.5

CVE-2026-0822 6.3

CVE-2025-13393 4.3

CVE-2025-12379 6.4

CVE-2026-0821 7.3