CVE-2016-20016

Name of the Vulnerable Software and Affected Versions MVPower CCTV DVR models, including TV-7104HE version 1.8.4 115215B9 and TV7108HE, versions from 2014 through 2019

Description The issue allows a remote unauthenticated attacker to execute arbitrary operating system commands as root via a web shell accessible through the /shell URI. This has been referred to as the "JAWS webserver RCE" due to the identifiable HTTP response server field. The vulnerability was exploited in the wild from 2017 through 2022.

Recommendations For MVPower CCTV DVR models, including TV-7104HE version 1.8.4 115215B9 and TV7108HE, versions from 2014 through 2019, consider disabling access to the /shell URI as a temporary workaround until a patch is available. Restricting access to this URI can minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.