CVE-2018-25126— TVT NVMS-9000 安全漏洞

TVT NVMS-9000 Hard-coded API Credentials & Command Injection

Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by many white-labeled DVR/NVR/IPC products) contains hardcoded API credentials and an OS command injection flaw in its configuration services. The web/API interface accepts HTTP/XML requests authenticated with a fixed vendor credential string and passes user-controlled fields into shell execution contexts without proper argument sanitization. An unauthenticated remote attacker can leverage the hard-coded credential to access endpoints such as /editBlackAndWhiteList and inject shell metacharacters inside XML parameters, resulting in arbitrary command execution as root. The same vulnerable backend is also reachable in some models through a proprietary TCP service on port 4567 that accepts a magic GUID preface and base64-encoded XML, enabling the same command injection sink. Firmware releases from mid-February 2018 and later are reported to have addressed this issue. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-28 UTC.

N/A

使用硬编码的凭证

TVT NVMS-9000 安全漏洞

TVT NVMS-9000是中国同为（TVT）公司的一款数字视频录像机。 TVT NVMS-9000 1.3.4之前版本存在安全漏洞，该漏洞源于包含硬编码API凭据和配置服务中存在OS命令注入缺陷，可能导致任意命令执行。

N/A

N/A