A command injection vulnerability in Dahua EIMS versions prior to 2240008 allows unauthenticated remote attackers to execute arbitrary system commands via the capture_handle.action interface. The flaw stems from improper input validation in the captureCommand parameter, which is processed without sanitization or authentication. By sending crafted HTTP requests, attackers can inject OS-level commands that are executed on the server, leading to full system compromise. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-04-06 UTC.
Security readout for executives and security teams
Plain-English summary
CVE-2024-13985 is a critical unauthenticated remote code execution flaw in Dahua EIMS before version 2240008. An attacker reaching the vulnerable interface could run system commands on the server, creating a credible path to full compromise of affected deployments.
Executive priority
Prioritize within emergency patching for any reachable Dahua EIMS deployment. The vulnerability is unauthenticated, network exploitable, critical severity, and has reported exploitation evidence, making delay materially increase compromise risk.
Technical view
The issue is CWE-78 command injection in the capture_handle.action interface. The captureCommand parameter is reportedly processed without authentication or sanitization, allowing OS command execution over the network. The CVSS 4.0 score is 10.0, with high impact across vulnerable and subsequent systems.
Likely exposure
Exposure is most likely where Dahua EIMS is deployed and reachable over HTTP, especially from the internet or untrusted networks. The bundle identifies versions before 2240008 as affected, but the affected-version metadata is limited and should be verified against Dahua guidance.
Exploitation context
The CVE is not listed as KEV in the bundle. However, the bundle states Shadowserver first observed exploitation evidence on 2024-04-06 UTC, and several references are tagged as exploit or technical descriptions. Treat reachable systems as urgent until verified remediated.
Researcher notes
The supplied affected metadata is sparse and internally inconsistent: the narrative says versions before 2240008, while the structured affected entry lists version 0 with default unaffected. Avoid broad product assumptions and validate against Dahua’s advisory and asset evidence.
Mitigation direction
Identify all Dahua EIMS instances and confirm their exact version.
Review Dahua’s advisory and update affected EIMS deployments to a non-vulnerable release.
Remove public internet exposure for EIMS management interfaces.
Restrict access to trusted administrative networks using firewall or VPN controls.
Monitor affected servers for unexpected process execution and web request anomalies.
Validation and detection
Inventory externally and internally reachable Dahua EIMS web interfaces.
Confirm whether each instance is before version 2240008.
Check access logs for requests to capture_handle.action.
Review host logs for suspicious command execution by the EIMS service account.
Verify vendor remediation status after upgrade or mitigation.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-78: Command execution behavior lookup
Command injection weaknesses can lead defenders to review execution techniques and command interpreter telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
9Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-78 · source CWE mapping
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.