cbcvebase.
CVE-2025-34036
published 2025-06-24

CVE-2025-34036: An OS command injection vulnerability exists in white-labeled DVRs manufactured by TVT, affecting a custom HTTP service called "Cross Web Server" that listens…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
25.28%
97.7th percentile
An OS command injection vulnerability exists in white-labeled DVRs manufactured by TVT, affecting a custom HTTP service called "Cross Web Server" that listens on TCP ports 81 and 82. The web interface fails to sanitize input in the URI path passed to the language extraction functionality. When the server processes a request to /language/[lang]/index.html, it uses the [lang] input unsafely in a tar extraction command without proper escaping. This allows an unauthenticated remote attacker to inject shell commands and achieve arbitrary command execution as root. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.

Affected

1 ranges
VendorProductVersion rangeFixed in
shenzhen_tvtcctv-dvr

Detection & IOCsextracted from sources · hover to see the quote

path/language/[lang]/index.html
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS TVT language Command Injection Attempt (CVE-2025-34036)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/language/"; startswith; pcre:"/^.*?[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; content:"|24 7b|IFS|7d|"; fast_pattern; content:"/"; distance:0; reference:url,www.exploit-db.com/exploits/39596; reference:cve,2025-34036; classtype:attempted-admin; sid:2065209; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_10_15, cve CVE_2025_34036, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|24 7b|IFS|7d|
  • Monitor for unauthenticated HTTP GET requests to paths beginning with /language/ on TCP ports 81 and 82, particularly where the [lang] path segment contains shell metacharacters (;, newline, backtick, pipe, $) or their URL-encoded equivalents (%3B, %0A, %60, %7C, %24).
  • The Snort/Suricata rule (ET SID 2065209) keys on HTTP GET to /language/ (startswith) combined with the IFS shell variable pattern (hex |24 7b|IFS|7d| = ${IFS}) in the URI, which is a common shell injection bypass technique used in this exploit.
  • Active exploitation was observed in the wild by the Shadowserver Foundation on 2025-02-06 UTC; treat any matching traffic as high-confidence active exploitation rather than scanning noise.
  • Successful exploitation results in command execution as root; look for unexpected outbound connections or process spawning from the DVR's web service process following matching inbound HTTP requests.
  • ·The Snort/Suricata rule targets plaintext HTTP only (tls_state plaintext); if the DVR is fronted by a TLS-terminating proxy, the rule will not fire on encrypted traffic.
  • ·The rule is scoped to $HOME_NET as the destination; ensure TCP ports 81 and 82 are included in your monitored port ranges, as these are non-standard ports that may be excluded from default HTTP inspection configurations.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.