PT-2025-47964 · Shenzhen Tvt Digital Technology Co. · Nvms-9000
Published
2025-11-24
·
Updated
2025-11-24
·
CVE-2018-25126
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware versions prior to mid-February 2018
Description
The NVMS-9000 firmware, used in various DVR/NVR/IPC products, has hardcoded API credentials and an OS command injection flaw within its configuration services. The web/API interface authenticates requests using a fixed vendor credential string and improperly sanitizes user-controlled fields before passing them to shell execution contexts. An unauthenticated remote attacker can exploit this to access endpoints like
/editBlackAndWhiteList and inject shell metacharacters within XML parameters, leading to arbitrary command execution as root. The vulnerable backend is also accessible via a proprietary TCP service on port 4567, which accepts a magic GUID preface and base64-encoded XML, enabling the same command injection. The Shadowserver Foundation observed exploitation of this issue on 2025-01-28 UTC.Recommendations
Update to firmware releases from mid-February 2018 or later.
Exploit
Fix
OS Command Injection
Using Hardcoded Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Nvms-9000