cbcvebase.
CVE-2025-34132
published 2025-07-16

CVE-2025-34132: A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 via the Server field in the…

PriorityP185critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.76%
75.2th percentile
A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 via the Server field in the NTPUpdate configuration. The web service at /z/zbin/dvr_box fails to properly sanitize input, allowing remote attackers to inject and execute arbitrary commands as root by supplying specially crafted XML data to the DVRPOST interface.

Affected

1 ranges
VendorProductVersion rangeFixed in
merit_lilindvr_firmware< 2.0b60_202002072.0b60_20200207

Detection & IOCsextracted from sources · hover to see the quote

path/z/zbin/dvr_box
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS LILIN dvr_box Server Parameter Command Injection Attempt (CVE-2025-34132)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:15; content:"/z/zbin/dvr_box"; fast_pattern; http.request_body; content:"Server"; pcre:"/^(?:\x3d|\x2f\x3e)[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day/; reference:cve,2025-34132; classtype:attempted-admin; sid:2065211; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_10_15, cve CVE_2025_34132, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit traffic is plaintext HTTP POST to URI /z/zbin/dvr_box (exactly 15 bytes). Match on HTTP method POST, URI bsize:15 with content '/z/zbin/dvr_box', and request body containing 'Server' followed by shell metacharacters (;, newline, backtick, pipe, $) in URL-encoded or raw form.
  • Injection is delivered via the 'Server' field in NTPUpdate XML configuration submitted to the DVRPOST interface. Look for XML payloads containing shell metacharacters in the Server element.
  • Commands execute as root. Post-exploitation activity should be monitored for root-level process spawning from the DVR web service process.
  • This vulnerability has been observed exploited by multiple botnets in the wild (reference: Netlab 360 blog on LILIN DVR 0-day botnet campaigns).
  • ·Only LILIN DVR devices running firmware versions prior to 2.0b60_20200207 are vulnerable. Devices on or after this firmware version are not affected.
  • ·The Snort/Suricata rule (SID 2065211) is scoped to plaintext HTTP only (tls_state plaintext). Exploitation over HTTPS would not be detected by this signature.
  • ·The rule targets inbound traffic to $HOME_NET. Ensure internal LILIN DVR management interfaces are included in the $HOME_NET variable for effective coverage.

CVSS provenance

nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.