LiveActive security incident?Get immediate response
CVE Record

CVE-2018-25126: TVT NVMS-9000 Hard-coded API Credentials & Command Injection

Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by many white-labeled DVR/NVR/IPC products) contains hardcoded API credentials and an OS command injection flaw in its configuration services. The web/API interface accepts HTTP/XML requests authenticated with a fixed vendor credential string and passes user-controlled fields into shell execution contexts without proper argument sanitization. An unauthenticated remote attacker can leverage the hard-coded credential to access endpoints such as /editBlackAndWhiteList and inject shell metacharacters inside XML parameters, resulting in arbitrary command execution as root. The same vulnerable backend is also reachable in some models through a proprietary TCP service on port 4567 that accepts a magic GUID preface and base64-encoded XML, enabling the same command injection sink. Firmware releases from mid-February 2018 and later are reported to have addressed this issue. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-28 UTC.

CriticalCVSS 9.3Not KEV-listedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

TVT NVMS-9000 firmware used in DVR/NVR/IPC products has a critical flaw where fixed vendor credentials can allow remote access to vulnerable configuration services, and unsafe handling of XML fields can lead to command execution as root. Internet-exposed devices are high risk, especially because many products may be white-labeled and not obviously branded as TVT.

Executive priority

Urgent. Prioritize internet-exposed DVR/NVR/IPC devices immediately, then validate internal deployments. Patch, isolate, or replace affected devices before normal change windows if exposure is confirmed.

Technical view

The bundle describes two linked weaknesses in Shenzhen TVT NVMS-9000 firmware: hard-coded API credentials and OS command injection in configuration services. A remote unauthenticated attacker can use the fixed credential path to reach vulnerable API/configuration handlers and trigger command execution through improperly sanitized XML parameters. The same backend may also be reachable on some models through a proprietary TCP service on port 4567. Reported affected firmware is addressed by releases from mid-February 2018 and later, but OEM/white-label firmware should be verified with vendor guidance.

Likely exposure

Highest exposure is internet-facing DVR, NVR, and IPC devices running TVT NVMS-9000-derived firmware, including white-labeled OEM products. Devices with exposed web/API management interfaces or the proprietary TCP service on port 4567 are the primary concern. Internal-only devices still present lateral movement and persistence risk if an attacker gains network access.

Exploitation context

The CVE bundle reports exploitation evidence observed by the Shadowserver Foundation on 2025-01-28 UTC. The vulnerability is not marked as CISA KEV in the provided bundle. Public technical and exploit references are listed in the bundle, so defenders should assume attacker knowledge is available without relying on obscurity.

Researcher notes

Do not assume all TVT-branded or OEM devices are affected without firmware validation. Do not assume a fix exists for every white-labeled product; use vendor or OEM firmware guidance. The source bundle includes patch-related evidence through an archived vendor advisory and states that firmware from mid-February 2018 and later addressed the issue.

Mitigation direction

  • Inventory DVR/NVR/IPC assets and identify TVT NVMS-9000 or OEM firmware derived from TVT NVMS-9000.
  • Update affected devices to vendor-confirmed firmware releases from mid-February 2018 or later, and verify OEM-specific firmware guidance before assuming a device is fixed.
  • Remove management interfaces from direct internet exposure.
  • Restrict access to management/API services and proprietary services, including TCP port 4567 where present, using network ACLs, VPN-only access, or firewall rules.
  • Replace devices that cannot be updated or cannot receive vendor-supported firmware.
  • Review device logs and network telemetry for suspicious configuration API access or unexpected outbound connections, treating confirmed compromise as a full device rebuild or replacement scenario.

Validation and detection

  • Confirm each device model, vendor/OEM branding, firmware version, and firmware build date through administrative inventory or vendor documentation.
  • Verify that exposed management/API interfaces are not reachable from the public internet.
  • Verify that TCP port 4567 is not exposed except where explicitly required and tightly restricted.
  • Confirm firmware remediation against the vendor or OEM advisory, especially for white-labeled products.
  • Perform non-invasive log and telemetry review for suspicious requests to vulnerable configuration services and signs of post-compromise activity.
Prepared
Confidence
medium
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-78: Command execution behavior lookup

Command injection weaknesses can lead defenders to review execution techniques and command interpreter telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cwe · medium confidence lookup

CWE-798: Credential and account abuse lookup

Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
description · low confidence lookup

Credential and access behavior lookup

The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2018-25126 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
9.3 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
6Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
9.3CVSS 4.0CriticalCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NPrimary CVE score

Vulnerability scoring details

Base CVSS 4.0 score

9.3Critical
CVSS 4.0 vector shape for CVE-2018-25126Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
Shenzhen TVT Digital Technology Co., Ltd.NVMS-90000unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-78 · source CWE mapping

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

CWE-798 · source CWE mapping

Use of Hard-coded Credentials

Use of Hard-coded Credentials represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.