OS Command Injection in TBK DVR-4104 and DVR-4216
CVE-2024-3721 is an OS command injection vulnerability affecting TBK DVR-4104 and DVR-4216 digital video recorder devices, including versions up to at least 20240412. The flaw is exposed through the HTTP endpoint /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX, where improper handling of the mdb and mdc request arguments allows attacker-controlled input to be incorporated into operating system command execution. Available reporting indicates the issue is remotely reachable over HTTP and does not require authentication. Public exploit code has been disclosed, and multiple reports describe in-the-wild exploitation to deliver Mirai-family botnet payloads such as Nexcorium and other variants.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository contains a single C source file ('tbk.c') implementing a network-based exploit targeting embedded devices (likely TBK DVRs or similar IoT devices) with an HTTP service exposing a '/device.rsp' endpoint. The exploit operates as a scanner, establishing up to 256 concurrent TCP connections to random IP addresses (with some filtering to avoid reserved/private ranges) on port 80. For each connection, it attempts to send a crafted HTTP POST request to the '/device.rsp' endpoint, injecting a shell command that downloads and executes a binary ('arm7') from a remote server (92.246.90.22). The exploit is operational, as it automates both the scanning and exploitation process, and the payload provides remote code execution on the target. The code is self-contained but references some external headers (not included), likely for utility and randomization functions. The main attack vector is network-based, and the exploit is designed for mass exploitation of vulnerable IoT devices.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
101 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A vulnerability in TBK digital video recorders exploited by the Nexus Team campaign to deploy the Nexcorium botnet malware.
An unauthenticated remote code execution vulnerability in TBK digital video recorders that is being exploited to deploy the Mirai-based Nexcorium botnet malware.
A vulnerability in TBK DVR devices that was abused in a recent campaign to gain access and deliver the Nexcorium Mirai variant, contributing to a vulnerability-driven IoT botnet campaign.
A command injection vulnerability in TBK DVR devices that is being exploited to deploy the Nexcorium Mirai variant and conscript devices into a DDoS botnet.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.