CVE-2025-34059

An SQL injection vulnerability exists in the Dahua Smart Cloud Gateway Registration Management Platform via the username parameter in the /index.php/User/doLogin endpoint. The application fails to properly sanitize user input, allowing unauthenticated attackers to inject arbitrary SQL statements and potentially disclose sensitive information. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.

CVSS

No CVSS.

References

Link	Resource
https://pentest-tools.com/vulnerabilities-exploits/zhejiang-dahua-smart-cloud-gateway-registration-platform-sql-injection-cnvd-2024-38747_23762
https://vulncheck.com/advisories/dahua-smart-cloud-gateway-sql-injection
https://www.cnblogs.com/LeouMaster/p/18509644
https://www.cnvd.org.cn/flaw/show/CNVD-2024-38747
https://www.dahuatech.com/

Configurations

No configuration.

History

20 Nov 2025, 19:16

Type	Values Removed	Values Added
Summary	(en) An SQL injection vulnerability exists in the Dahua Smart Cloud Gateway Registration Management Platform via the username parameter in the /index.php/User/doLogin endpoint. The application fails to properly sanitize user input, allowing unauthenticated attackers to inject arbitrary SQL statements and potentially disclose sensitive information. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-13 UTC.	(en) An SQL injection vulnerability exists in the Dahua Smart Cloud Gateway Registration Management Platform via the username parameter in the /index.php/User/doLogin endpoint. The application fails to properly sanitize user input, allowing unauthenticated attackers to inject arbitrary SQL statements and potentially disclose sensitive information. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.

13 Nov 2025, 19:15

Type	Values Removed	Values Added
Summary	(en) An SQL injection vulnerability exists in the Dahua Smart Cloud Gateway Registration Management Platform via the username parameter in the /index.php/User/doLogin endpoint. The application fails to properly sanitize user input, allowing unauthenticated attackers to inject arbitrary SQL statements and potentially disclose sensitive information.	(en) An SQL injection vulnerability exists in the Dahua Smart Cloud Gateway Registration Management Platform via the username parameter in the /index.php/User/doLogin endpoint. The application fails to properly sanitize user input, allowing unauthenticated attackers to inject arbitrary SQL statements and potentially disclose sensitive information. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-13 UTC.

Information

Published : 2025-07-01 15:15

Updated : 2025-11-20 19:16

NVD link : CVE-2025-34059

Mitre link : CVE-2025-34059

CVE.ORG link : CVE-2025-34059

JSON object : View

Products Affected

No product.

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

JSON object

Attach tags to CVE-2025-34059

Attach tags to `CVE-2025-34059`