CVE-2025-34059 HIGH

CVE-2025-34059: Dahua Smart Cloud Gateway Registration Management Platform SQL Injection

Vendor Zhejiang Dahua Technology Co., Ltd.
Product Smart Cloud Gateway Registration Management Platform
Weakness CWE-89 · SQLi
Published July 1, 2025
Last update November 20, 2025

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An SQL injection vulnerability exists in the Dahua Smart Cloud Gateway Registration Management Platform via the username parameter in the /index.php/User/doLogin endpoint. The application fails to properly sanitize user input, allowing unauthenticated attackers to inject arbitrary SQL statements and potentially disclose sensitive information. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.

Key dates

02Disclosure timeline

July 1, 2025 CVE published
November 20, 2025 Record updated