Security readout for executives and security teams
Plain-English summary
TVT NVMS-9000 firmware used in DVR/NVR/IPC products has a critical flaw where fixed vendor credentials can allow remote access to vulnerable configuration services, and unsafe handling of XML fields can lead to command execution as root. Internet-exposed devices are high risk, especially because many products may be white-labeled and not obviously branded as TVT.
Executive priority
Urgent. Prioritize internet-exposed DVR/NVR/IPC devices immediately, then validate internal deployments. Patch, isolate, or replace affected devices before normal change windows if exposure is confirmed.
Technical view
The bundle describes two linked weaknesses in Shenzhen TVT NVMS-9000 firmware: hard-coded API credentials and OS command injection in configuration services. A remote unauthenticated attacker can use the fixed credential path to reach vulnerable API/configuration handlers and trigger command execution through improperly sanitized XML parameters. The same backend may also be reachable on some models through a proprietary TCP service on port 4567. Reported affected firmware is addressed by releases from mid-February 2018 and later, but OEM/white-label firmware should be verified with vendor guidance.
Likely exposure
Highest exposure is internet-facing DVR, NVR, and IPC devices running TVT NVMS-9000-derived firmware, including white-labeled OEM products. Devices with exposed web/API management interfaces or the proprietary TCP service on port 4567 are the primary concern. Internal-only devices still present lateral movement and persistence risk if an attacker gains network access.
Exploitation context
The CVE bundle reports exploitation evidence observed by the Shadowserver Foundation on 2025-01-28 UTC. The vulnerability is not marked as CISA KEV in the provided bundle. Public technical and exploit references are listed in the bundle, so defenders should assume attacker knowledge is available without relying on obscurity.
Researcher notes
Do not assume all TVT-branded or OEM devices are affected without firmware validation. Do not assume a fix exists for every white-labeled product; use vendor or OEM firmware guidance. The source bundle includes patch-related evidence through an archived vendor advisory and states that firmware from mid-February 2018 and later addressed the issue.
Mitigation direction
- Inventory DVR/NVR/IPC assets and identify TVT NVMS-9000 or OEM firmware derived from TVT NVMS-9000.
- Update affected devices to vendor-confirmed firmware releases from mid-February 2018 or later, and verify OEM-specific firmware guidance before assuming a device is fixed.
- Remove management interfaces from direct internet exposure.
- Restrict access to management/API services and proprietary services, including TCP port 4567 where present, using network ACLs, VPN-only access, or firewall rules.
- Replace devices that cannot be updated or cannot receive vendor-supported firmware.
- Review device logs and network telemetry for suspicious configuration API access or unexpected outbound connections, treating confirmed compromise as a full device rebuild or replacement scenario.
Validation and detection
- Confirm each device model, vendor/OEM branding, firmware version, and firmware build date through administrative inventory or vendor documentation.
- Verify that exposed management/API interfaces are not reachable from the public internet.
- Verify that TCP port 4567 is not exposed except where explicitly required and tightly restricted.
- Confirm firmware remediation against the vendor or OEM advisory, especially for white-labeled products.
- Perform non-invasive log and telemetry review for suspicious requests to vulnerable configuration services and signs of post-compromise activity.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-78: Command execution behavior lookup
Command injection weaknesses can lead defenders to review execution techniques and command interpreter telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCWE-798: Credential and account abuse lookup
Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupExecution behavior lookup
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCredential and access behavior lookup
The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2018-25126 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Critical
- CVSS
- 9.3 (4.0)
- Known Exploited
- No
- Published
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N——Primary CVE scoreVulnerability scoring details
Base CVSS 4.0 score
9.3CriticalVector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Source materials
- CVE List V5 sourceCVE List V5
- https://web.archive.org/web/20180614014914/http://en.tvt.net.cn:80/news/227.htmlCVE reference · vendor-advisory, patch
- https://github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txtCVE reference · technical-description, exploit
- https://qkl.seebug.org/vuldb/ssvid-97217CVE reference · exploit
- https://blogs.juniper.net/en-us/threat-research/iot-botnet-exploiting-tvt-shenzhen-dvrs-still-lingersCVE reference · related
- https://www.vulncheck.com/advisories/tvt-nvms9000-hardcoded-api-credentials-and-command-injectionCVE reference · third-party-advisory
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Use of Hard-coded Credentials
Use of Hard-coded Credentials represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
