According to an advisory issued by Fortinet FortiGuard Labs, threat actors are actively exploiting a five-year-old unpatched flaw affecting TBK digital video recording (DVR) devices.
The vulnerability in question is CVE-2018-9995 (CVSS Score: 9.8), a critical authentication bypass issue that could be exploited by remote actors to gain elevated permissions.
“The 5-year-old vulnerability (CVE-2018-9995) is due to an error in handling a maliciously crafted HTTP cookie,” Fortinet said in an outbreak alert on May 1, 2023. A remote attacker can exploit this flaw to bypass authentication and gain administrative privileges that eventually leads to access to the camera’s video feeds.”
The network security firm said it observed more than 50,000 attempts to exploit TBK DVR devices using the flaw in the month of April 2023. Despite the availability of a proof-of-concept (PoC) exploit, there are no fixes that fix the vulnerability.
The defect affects the TBK DVR4104 and DVR4216 product lines, which are also rebranded and sold under the names CeNova, DVR Login, HVR Login, MDVR Login, Night OWL, Novo, QSee, Pulnix, Securus and XVR 5-in-1.
In addition, Fortinet warned of an increase in the exploitation of CVE-2016-20016 (CVSS score: 9.8), another critical vulnerability affecting MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE.
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
The flaw could allow an unauthenticated remote attacker to execute arbitrary operating system commands as root due to the presence of a web shell that is accessible via a /shell URI.
“With tens of thousands of TBK DVRs available under different brands, publicly available PoC code, and ease of exploitation make this vulnerability an easy target for attackers,” Fortinet noted. “The recent increase in IPS detections shows that network camera devices remain a popular target for attackers.”
A five-year-old unpatched vulnerability has been identified in TBK DVR devices and hackers have been exploiting it to gain access to networks and systems around the world. Security updates from the manufacturer have been unavailable since the product was released back in 2011 and the vulnerability places businesses and their networks at high risk.
Compromised systems have already been observed sending unauthorized traffic over the Internet, which increases the risk of malicious actors accessing personal and corporate information stored on them. This type of activity is even more alarming given that the affected systems could potentially be part of an organization’s critical infrastructure, such as energy and water systems.
Ikaroa, a full stack tech company, has identified this vulnerability and recommends that users of the devices take immediate action by installing enhanced security measures. Ikaroa recommends the following actions: Updating to the latest versions of firmware, resetting the devices to their factory settings, and conducting real-time monitoring and assessing of network traffic to detect suspicious activity.
It is important to be aware that device passwords and other authentication mechanisms through which hackers gain access might exist on the compromised device. Keeping device passwords secure and ensuring systems are regularly updated remains one of the most effective methods of preventing becoming a victim of this type of attack.
Given the long duration of this vulnerability and the number of affected products, it is essential for organizations to remain vigilant and ensure proper security measures are in place. By taking the necessary steps to ensure the security of their own systems, organizations can mitigate their risk of becoming victims of this malicious activity.