5-Year-Old Vulnerability in TBK DVR Devices Exploited

An unpatched 2018 authentication bypass vulnerability in exposed TBK DVR (digital video recording) devices is being actively exploited by threat operators. DVRs are essential components of security surveillance systems because they record, and store footage captured by cameras. According to TBK Vision’s website, its products are used in banks, government agencies, the retail industry, and other industries. The DVR servers are typically situated on internal networks to prevent unauthorized access to the recorded video because they’re used to keep sensitive security footage. However, this attracts threat actors who can use them to gain initial access to companies’ networks and steal data.

A recent increase in beaching attempts on TBK DVR devices has been reported, with threat actors targeting a vulnerability in the servers using a publicly available proof of concept (PoC) exploit. The vulnerability, listed as CVE-2018-9995, is a significant flaw that allows threat operators to bypass device authentication and obtain access to impacted networks. The exploit uses a maliciously constructed HTTP cookie, to which vulnerable TBK DVR devices respond with admin credentials in JSON data format. Remote threat operators can exploit the flaw to bypass authentication and obtain administrative privileges that can lead to access to camera video feeds. The vulnerability affects the TBK DVR4104 and DVR4216 and rebranded versions sold under the Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR brands. There were over 50,000 attempts to exploit TBK DVR devices utilizing the flaw as of April 2023. 

With thousands of TBK DVRs available under various brands, publicly available PoC code, and an easy-to-exploit platform makes, the vulnerability an easy target for threat operators. An increase in IPS detections indicates that network camera devices are still a popular target for threat operators. To prevent unauthorized access, it’s recommended that vulnerable surveillance systems be replaced with new and actively supported models or be isolated from the internet. CVE-2016-20016, a remote code execution vulnerability affecting MVPower TV-7104HE and TV-7108HE DVRs, allows threat operators to perform unauthenticated command execution through malicious HTTP requests, is another old flaw undergoing an exploitation “outbreak.” Even though the flaw has been actively exploited in the wild since 2017, there has recently been an increase in malicious activity leveraging it.

With threat operators looking to exploit new and old vulnerabilities on networks, devices, and software, it’s crucial for companies always to remain vigilant of the latest threat landscape and regularly update their software, network, and devices to prevent future vulnerabilities from being exploited. At SpearTip, network vulnerability assessments are essential to the risk management process. They should be conducted regularly to ensure devices on your network are not open to known vulnerabilities. We will comprehensively identify, classify, and analyze known and potential vulnerabilities, then provide actionable solutions to eliminate future cybersecurity problems. Our assessments leave no stone unturned in examining how companies leverage their current technology. We review application and operating system access controls and analyze physical access to their systems. We conclude with detailed reports and recommendations to keep them compliant and safe, according to industry standards.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.