Security
Headlines
HeadlinesLatestCVEs

Headline

Hackers Exploiting 5-year-old Unpatched Vulnerability in TBK DVR Devices

Threat actors are actively exploiting an unpatched five-year-old flaw impacting TBK digital video recording (DVR) devices, according to an advisory issued by Fortinet FortiGuard Labs. The vulnerability in question is CVE-2018-9995 (CVSS score: 9.8), a critical authentication bypass issue that could be exploited by remote actors to gain elevated permissions. "The 5-year-old vulnerability (

The Hacker News
#vulnerability#web#git#auth#The Hacker News

Surveillance / Vulnerability

Threat actors are actively exploiting an unpatched five-year-old flaw impacting TBK digital video recording (DVR) devices, according to an advisory issued by Fortinet FortiGuard Labs.

The vulnerability in question is CVE-2018-9995 (CVSS score: 9.8), a critical authentication bypass issue that could be exploited by remote actors to gain elevated permissions.

“The 5-year-old vulnerability (CVE-2018-9995) is due to an error when handling a maliciously crafted HTTP cookie,” Fortinet said in an outbreak alert on May 1, 2023. “A remote attacker may be able to exploit this flaw to bypass authentication and obtain administrative privileges eventually leading access to camera video feeds.”

The network security company said it observed over 50,000 attempts to exploit TBK DVR devices using the flaw in the month of April 2023. Despite the availability of a proof-of-concept (PoC) exploit, there are no fixes that address the vulnerability.

The flaw impacts TBK DVR4104 and DVR4216 product lines, which are also rebranded and sold using the names CeNova, DVR Login, HVR Login, MDVR Login, Night OWL, Novo, QSee, Pulnix, Securus, and XVR 5 in 1.

Additionally, Fortinet warned of a surge in the exploitation of CVE-2016-20016 (CVSS score: 9.8), another critical vulnerability affecting MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

The flaw could permit a remote unauthenticated attacker to execute arbitrary operating system commands as root due to the presence of a web shell that is accessible over a /shell URI.

“With tens of thousands of TBK DVRs available under different brands, publicly-available PoC code, and an easy-to-exploit makes this vulnerability an easy target for attackers,” Fortinet noted. “The recent spike in IPS detections shows that network camera devices remain a popular target for attackers.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

CVE-2016-20016: Offensive Security’s Exploit Database Archive

MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE, contain a web shell that is accessible via a /shell URI. A remote unauthenticated attacker can execute arbitrary operating system commands as root. This vulnerability has also been referred to as the "JAWS webserver RCE" because of the easily identifying HTTP response server field. Other firmware versions, at least from 2014 through 2019, can be affected. This was exploited in the wild in 2017 through 2022.

The Hacker News: Latest News

Experts Uncover 70,000 Hijacked Domains in Widespread 'Sitting Ducks' Attack Scheme