CVE-2025-34036
published 2025-06-24CVE-2025-34036: An OS command injection vulnerability exists in white-labeled DVRs manufactured by TVT, affecting a custom HTTP service called "Cross Web Server" that listens…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
25.28%
97.7th percentile
An OS command injection vulnerability exists in white-labeled DVRs manufactured by TVT, affecting a custom HTTP service called "Cross Web Server" that listens on TCP ports 81 and 82. The web interface fails to sanitize input in the URI path passed to the language extraction functionality. When the server processes a request to /language/[lang]/index.html, it uses the [lang] input unsafely in a tar extraction command without proper escaping. This allows an unauthenticated remote attacker to inject shell commands and achieve arbitrary command execution as root. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shenzhen_tvt | cctv-dvr | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS TVT language Command Injection Attempt (CVE-2025-34036)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/language/"; startswith; pcre:"/^.*?[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; content:"|24 7b|IFS|7d|"; fast_pattern; content:"/"; distance:0; reference:url,www.exploit-db.com/exploits/39596; reference:cve,2025-34036; classtype:attempted-admin; sid:2065209; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_10_15, cve CVE_2025_34036, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|24 7b|IFS|7d|
- →Monitor for unauthenticated HTTP GET requests to paths beginning with /language/ on TCP ports 81 and 82, particularly where the [lang] path segment contains shell metacharacters (;, newline, backtick, pipe, $) or their URL-encoded equivalents (%3B, %0A, %60, %7C, %24). ↗
- →The Snort/Suricata rule (ET SID 2065209) keys on HTTP GET to /language/ (startswith) combined with the IFS shell variable pattern (hex |24 7b|IFS|7d| = ${IFS}) in the URI, which is a common shell injection bypass technique used in this exploit.
- →Active exploitation was observed in the wild by the Shadowserver Foundation on 2025-02-06 UTC; treat any matching traffic as high-confidence active exploitation rather than scanning noise. ↗
- →Successful exploitation results in command execution as root; look for unexpected outbound connections or process spawning from the DVR's web service process following matching inbound HTTP requests. ↗
- ·The Snort/Suricata rule targets plaintext HTTP only (tls_state plaintext); if the DVR is fronted by a TLS-terminating proxy, the rule will not fire on encrypted traffic.
- ·The rule is scoped to $HOME_NET as the destination; ensure TCP ports 81 and 82 are included in your monitored port ranges, as these are non-standard ports that may be excluded from default HTTP inspection configurations. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ppp6-57cw-px5q: An OS command injection vulnerability exists in white-labeled DVRs manufactured by TVT, affecting a custom HTTP service called "Cross Web Server" that
ghsa_unreviewed·2025-06-26
CVE-2025-34036 [CRITICAL] CWE-20 GHSA-ppp6-57cw-px5q: An OS command injection vulnerability exists in white-labeled DVRs manufactured by TVT, affecting a custom HTTP service called "Cross Web Server" that
An OS command injection vulnerability exists in white-labeled DVRs manufactured by TVT, affecting a custom HTTP service called "Cross Web Server" that listens on TCP ports 81 and 82. The web interface fails to sanitize input in the URI path passed to the language extraction functionality. When the server processes a request to /language/[lang]/index.html, it uses the [lang] input unsafely in a tar extraction command without proper escaping. This allows an unauthenticated remote attacker to inject shell commands and achieve arbitrary command execution as root.
VulnCheck
TVT td-2108ts-cl_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2025·CVSS 10.0
CVE-2025-34036 [CRITICAL] TVT td-2108ts-cl_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
TVT td-2108ts-cl_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
An OS command injection vulnerability exists in white-labeled DVRs manufactured by TVT, affecting a custom HTTP service called "Cross Web Server" that listens on TCP ports 81 and 82. The web interface fails to sanitize input in the URI path passed to the language extraction functionality. When the server processes a request to /language/[lang]/index.html, it uses the [lang] input unsafely in a tar extraction command without proper escaping. This allows an unauthenticated remote attacker to inject shell commands and achieve arbitrary command execution as root. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.
Affected: TVT DVRs
Required A
Suricata
ET WEB_SPECIFIC_APPS TVT language Command Injection Attempt (CVE-2025-34036)
suricata·2025-10-15·CVSS 10.0
CVE-2025-34036 [CRITICAL] ET WEB_SPECIFIC_APPS TVT language Command Injection Attempt (CVE-2025-34036)
ET WEB_SPECIFIC_APPS TVT language Command Injection Attempt (CVE-2025-34036)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS TVT language Command Injection Attempt (CVE-2025-34036)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/language/"; startswith; pcre:"/^.*?[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; content:"|24 7b|IFS|7d|"; fast_pattern; content:"/"; distance:0; reference:url,www.exploit-db.com/exploits/39596; reference:cve,2025-34036; classtype:attempted-admin; sid:2065209; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_10_15, cve CVE_2025_34036, deployment Perimeter, deployment Internal, performance_impact Low, confide
No public exploits indexed.
https://vulncheck.com/advisories/shenzhen-tvt-cctv-dvr-command-injectionhttps://web.archive.org/web/20160322204109/http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.htmlhttps://www.exploit-db.com/exploits/39596https://web.archive.org/web/20160322204109/http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html
2025-06-24
Published
Exploited in the wild