Security News > 2023 > May > Hackers Exploiting 5-year-old Unpatched Vulnerability in TBK DVR Devices
Threat actors are actively exploiting an unpatched five-year-old flaw impacting TBK digital video recording devices, according to an advisory issued by Fortinet FortiGuard Labs.
The vulnerability in question is CVE-2018-9995, a critical authentication bypass issue that could be exploited by remote actors to gain elevated permissions.
The network security company said it observed over 50,000 attempts to exploit TBK DVR devices using the flaw in the month of April 2023.
Despite the availability of a proof-of-concept exploit, there are no fixes that address the vulnerability.
The flaw impacts TBK DVR4104 and DVR4216 product lines, which are also rebranded and sold using the names CeNova, DVR Login, HVR Login, MDVR Login, Night OWL, Novo, QSee, Pulnix, Securus, and XVR 5 in 1.
Fortinet warned of a surge in the exploitation of CVE-2016-20016, another critical vulnerability affecting MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE. The flaw could permit a remote unauthenticated attacker to execute arbitrary operating system commands as root due to the presence of a web shell that is accessible over a /shell URI. "With tens of thousands of TBK DVRs available under different brands, publicly-available PoC code, and an easy-to-exploit makes this vulnerability an easy target for attackers," Fortinet noted.
News URL
https://thehackernews.com/2023/05/hackers-exploiting-5-year-old-unpatched.html
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-10-19 | CVE-2016-20016 | Unspecified vulnerability in Mvpower Tv-7104He Firmware and Tv7108He Firmware MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE, contain a web shell that is accessible via a /shell URI. | 9.8 |
2018-04-10 | CVE-2018-9995 | Unspecified vulnerability in Tbkvision Tbk-Dvr4104 Firmware and Tbk-Dvr4216 Firmware TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login, which run re-branded versions of the original TBK DVR4104 and DVR4216 series, allow remote attackers to bypass authentication via a "Cookie: uid=admin" header, as demonstrated by a device.rsp?opt=user&cmd=list request that provides credentials within JSON data in a response. | 9.8 |