Threat actors are actively exploiting a five year old, unfixed flaw impacting TBK’s digital video recording (DVR) devices, according to an advisory issued by Fortinet FortiGuard Labs.
The vulnerability in question is CVE-2018-9995 (CVSS score: 9.8), a critical authentication bypass issue that can be exploited by remote actors to gain higher permissions.
“5 year old vulnerability (CVE-2018-9995) caused by an error handling maliciously crafted HTTP cookies,” Fortinet said in an outbreak alert on May 1, 2023. “Remote attackers may be able to exploit this vulnerability to bypass authentication and gain administrative privileges which in turn direct access to the camera’s video feed.”
The network security company says it observed more than 50,000 attempts to exploit TBK DVR devices using the flaw in April 2023. Despite a proof of concept available (PoC) exploit, none of the fixes address the vulnerability.
The flaw affects the TBK DVR4104 and DVR4216 product lines, which were also renamed and sold under the names CeNova, Login DVR, Login HVR, Login MDVR, Night OWL, Novo, QSee, Pulnix, Securus and XVR 5 in 1.
In addition, Fortinet warns of spikes in exploits CVE-2016-20016 (CVSS Score: 9.8), another critical vulnerability affecting MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE.
The flaw could allow an unauthenticated remote attacker to execute arbitrary operating system commands as root due to the existence of a web shell accessible via the /shell URI.
“With tens of thousands of TBK DVRs available under various brands, the publicly available, easy-to-exploit PoC code makes this vulnerability an easy target for attackers,” Fortinet said. “The recent spike in IPS detections indicates that network camera devices remain a popular target for attackers.”