CVE-2025-34036

Shenzhen TVT CCTV-DVR Command Injection

CVSS 10 CRITICALEPSS 25.3%CWE-78

Vexday Risk Score

53Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 10EPSS 25.3%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

24 Jun 2025Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

An OS command injection vulnerability exists in white-labeled DVRs manufactured by TVT, affecting a custom HTTP service called "Cross Web Server" that listens on TCP ports 81 and 82. The web interface fails to sanitize input in the URI path passed to the language extraction functionality. When the server processes a request to /language/[lang]/index.html, it uses the [lang] input unsafely in a tar extraction command without proper escaping. This allows an unauthenticated remote attacker to inject shell commands and achieve arbitrary command execution as root. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected products

Shenzhen TVT · CCTV-DVR

public PoCs found — 2

cve_referenceweb.archive.org/web/20160322204109/http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.htmlunverified cve_referencewww.exploit-db.com/exploits/39596unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://vulncheck.com/advisories/shenzhen-tvt-cctv-dvr-command-injection https://web.archive.org/web/20160322204109/http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html https://www.exploit-db.com/exploits/39596