A critical vulnerability, identified as CVE-2025-10265, has been discovered in certain Digiever Network Video Recorder (NVR) models. This flaw allows a remote, unauthenticated attacker to take complete control of the affected device, potentially leading to the compromise of surveillance footage, system shutdown, or further attacks on the internal network.

The vulnerability is an OS Command Injection flaw that can be exploited by an unauthenticated attacker over the network. By sending a specially crafted request to the device, an attacker can inject and execute arbitrary operating system commands with the privileges of the NVR's web service. This allows the attacker to gain a remote shell on the system, granting them full control over the device and its functions.

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a significant and immediate risk to the organization. Successful exploitation could lead to severe consequences, including the theft, modification, or deletion of sensitive video surveillance data, compromising physical security. An attacker could also disable the NVR, creating a surveillance blackout, or use the compromised device as a pivot point to launch further attacks against other systems on the internal network.

Immediate Action: Immediately apply the latest firmware updates provided by the vendor to all affected Digiever NVR models. Before and after patching, closely monitor device logs for any signs of compromise or unusual activity. Review historical access logs for indicators of exploitation attempts that may have occurred prior to remediation.

Proactive Monitoring: Implement enhanced monitoring for affected devices. Look for unusual outbound network traffic from the NVRs, unexpected processes or services running on the devices, and anomalous patterns in web server access logs that may indicate command injection attempts (e.g., requests containing shell metacharacters like ;, |, &&).

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Isolate the NVRs from the public internet.
• Segment the NVRs onto a dedicated network VLAN with strict firewall rules, allowing access only from trusted security management workstations.
• Deploy an Intrusion Prevention System (IPS) with signatures capable of detecting and blocking OS command injection attacks.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the potential for complete system compromise by an unauthenticated attacker, this vulnerability requires immediate attention. We strongly recommend that all affected Digiever NVRs be patched immediately. If patching cannot be performed right away, the compensating controls listed above, particularly network isolation, must be implemented as a matter of urgency to reduce the attack surface and prevent exploitation.