cbcvebase.
CVE-2018-9995
published 2018-04-10

CVE-2018-9995: TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login, which run…

PriorityP196critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomwareInitial access
Exploited in the wild
EPSS
83.15%
99.6th percentile
TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login, which run re-branded versions of the original TBK DVR4104 and DVR4216 series, allow remote attackers to bypass authentication via a "Cookie: uid=admin" header, as demonstrated by a device.rsp?opt=user&cmd=list request that provides credentials within JSON data in a response.

Detection & IOCsextracted from sources · hover to see the quote

cookieuid=admin
url/device.rsp?opt=user&cmd=list
port554
port2323
port567
port5523
port8080
port9530
port56575
uaMorzilla/7.0 (911; Pinux x86_128; rv:9743.0)
  • Detect CVE-2018-9995 exploitation attempts by matching HTTP GET requests to /device.rsp?opt=user&cmd=list that include a Cookie header with uid=admin
  • GreyNoise internal query pattern for this exploit: match packets where data contains GET /device.rsp?opt=user&cmd=list and user=admin
  • Exploitation of CVE-2018-9995 returns JSON data containing user credentials (uid, pwd, role fields); monitor HTTP responses from DVR devices for JSON lists with these fields following a /device.rsp?opt=user&cmd=list request
  • ·The vulnerability affects TBK DVR4104 and DVR4216 devices as well as multiple re-branded variants (Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, MDVR Login); detection rules should account for all affected brands

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.