CVE-2025-34132
published 2025-07-16CVE-2025-34132: A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 via the Server field in the…
PriorityP185critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.76%
75.2th percentile
A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 via the Server field in the NTPUpdate configuration. The web service at /z/zbin/dvr_box fails to properly sanitize input, allowing remote attackers to inject and execute arbitrary commands as root by supplying specially crafted XML data to the DVRPOST interface.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| merit_lilin | dvr_firmware | < 2.0b60_20200207 | 2.0b60_20200207 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS LILIN dvr_box Server Parameter Command Injection Attempt (CVE-2025-34132)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:15; content:"/z/zbin/dvr_box"; fast_pattern; http.request_body; content:"Server"; pcre:"/^(?:\x3d|\x2f\x3e)[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day/; reference:cve,2025-34132; classtype:attempted-admin; sid:2065211; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_10_15, cve CVE_2025_34132, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit traffic is plaintext HTTP POST to URI /z/zbin/dvr_box (exactly 15 bytes). Match on HTTP method POST, URI bsize:15 with content '/z/zbin/dvr_box', and request body containing 'Server' followed by shell metacharacters (;, newline, backtick, pipe, $) in URL-encoded or raw form.
- →Injection is delivered via the 'Server' field in NTPUpdate XML configuration submitted to the DVRPOST interface. Look for XML payloads containing shell metacharacters in the Server element. ↗
- →Commands execute as root. Post-exploitation activity should be monitored for root-level process spawning from the DVR web service process. ↗
- →This vulnerability has been observed exploited by multiple botnets in the wild (reference: Netlab 360 blog on LILIN DVR 0-day botnet campaigns).
- ·Only LILIN DVR devices running firmware versions prior to 2.0b60_20200207 are vulnerable. Devices on or after this firmware version are not affected. ↗
- ·The Snort/Suricata rule (SID 2065211) is scoped to plaintext HTTP only (tls_state plaintext). Exploitation over HTTPS would not be detected by this signature.
- ·The rule targets inbound traffic to $HOME_NET. Ensure internal LILIN DVR management interfaces are included in the $HOME_NET variable for effective coverage.
CVSS provenance
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g9j5-xpjv-f35r: A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2
ghsa_unreviewed·2025-07-17
CVE-2025-34132 [CRITICAL] CWE-20 GHSA-g9j5-xpjv-f35r: A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2
A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 via the Server field in the NTPUpdate configuration. The web service at /z/zbin/dvr_box fails to properly sanitize input, allowing remote attackers to inject and execute arbitrary commands as root by supplying specially crafted XML data to the DVRPOST interface. 777
VulnCheck
TVT dvr Improper Input Validation
vulncheck·2025·CVSS 9.3
CVE-2025-34132 [CRITICAL] TVT dvr Improper Input Validation
TVT dvr Improper Input Validation
A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 via the Server field in the NTPUpdate configuration. The web service at /z/zbin/dvr_box fails to properly sanitize input, allowing remote attackers to inject and execute arbitrary commands as root by supplying specially crafted XML data to the DVRPOST interface.
Affected: LILIN Digital Video Recorder (DVR)
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day/; https://ducklingstudio.blog.fc2.com/blog-entry-400.html; http
Suricata
ET WEB_SPECIFIC_APPS LILIN dvr_box Server Parameter Command Injection Attempt (CVE-2025-34132)
suricata·2025-10-15·CVSS 9.3
CVE-2025-34132 [CRITICAL] ET WEB_SPECIFIC_APPS LILIN dvr_box Server Parameter Command Injection Attempt (CVE-2025-34132)
ET WEB_SPECIFIC_APPS LILIN dvr_box Server Parameter Command Injection Attempt (CVE-2025-34132)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS LILIN dvr_box Server Parameter Command Injection Attempt (CVE-2025-34132)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:15; content:"/z/zbin/dvr_box"; fast_pattern; http.request_body; content:"Server"; pcre:"/^(?:\x3d|\x2f\x3e)[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day/; reference:cve,2025-34132; classtype:attempted-admin; sid:2065211; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_10_15, cve CVE_2025_3
No public exploits indexed.
2025-07-16
Published
Exploited in the wild