CVE-2018-25126
published 2025-11-24CVE-2018-25126: Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by many white-labeled DVR/NVR/IPC products) contains hardcoded API credentials and an OS…
PriorityP185critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWVulnCheck KEV
Exploited in the wild
EPSS
3.70%
88.3th percentile
Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by many white-labeled DVR/NVR/IPC products) contains hardcoded API credentials and an OS command injection flaw in its configuration services. The web/API interface accepts HTTP/XML requests authenticated with a fixed vendor credential string and passes user-controlled fields into shell execution contexts without proper argument sanitization. An unauthenticated remote attacker can leverage the hard-coded credential to access endpoints such as /editBlackAndWhiteList and inject shell metacharacters inside XML parameters, resulting in arbitrary command execution as root. The same vulnerable backend is also reachable in some models through a proprietary TCP service on port 4567 that accepts a magic GUID preface and base64-encoded XML, enabling the same command injection sink. Firmware releases from mid-February 2018 and later are reported to have addressed this issue. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-28 UTC.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shenzhen_tvt_digital_technology_co_ltd | nvms-9000 | < mid-February firmware builds | mid-February firmware builds |
CVSS provenance
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-54fc-5f6v-pcx6: Shenzhen TVT Digital Technology Co
ghsa_unreviewed·2025-11-24
CVE-2018-25126 [CRITICAL] CWE-78 GHSA-54fc-5f6v-pcx6: Shenzhen TVT Digital Technology Co
Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by many white-labeled DVR/NVR/IPC products) contains hardcoded API credentials and an OS command injection flaw in its configuration services. The web/API interface accepts HTTP/XML requests authenticated with a fixed vendor credential string and passes user-controlled fields into shell execution contexts without proper argument sanitization. An unauthenticated remote attacker can leverage the hard-coded credential to access endpoints such as /editBlackAndWhiteList and inject shell metacharacters inside XML parameters, resulting in arbitrary command execution as root. The same vulnerable backend is also reachable in some models through a proprietary TCP service on port 4567 that accepts a magic GUID preface and base64-encod
VulnCheck
TVT nvms-9000_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2018·CVSS 9.3
CVE-2018-25126 [CRITICAL] TVT nvms-9000_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
TVT nvms-9000_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by many white-labeled DVR/NVR/IPC products) contains hardcoded API credentials and an OS command injection flaw in its configuration services. The web/API interface accepts HTTP/XML requests authenticated with a fixed vendor credential string and passes user-controlled fields into shell execution contexts without proper argument sanitization. An unauthenticated remote attacker can leverage the hard-coded credential to access endpoints such as /editBlackAndWhiteList and inject shell metacharacters inside XML parameters, resulting in arbitrary command execution as root. The same vulnerable backend is also reachab
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://blogs.juniper.net/en-us/threat-research/iot-botnet-exploiting-tvt-shenzhen-dvrs-still-lingershttps://github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txthttps://qkl.seebug.org/vuldb/ssvid-97217https://web.archive.org/web/20180614014914/http://en.tvt.net.cn:80/news/227.htmlhttps://www.vulncheck.com/advisories/tvt-nvms9000-hardcoded-api-credentials-and-command-injection
2025-11-24
Published
Exploited in the wild