CVE-2018-9995 is an authentication bypass vulnerability affecting TBK DVR4104 and DVR4216 digital video recorder devices, as well as multiple rebranded versions (Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login). The vulnerability allows remote attackers to bypass authentication by sending a specially crafted HTTP request with the header 'Cookie: uid=admin'. This causes the device to treat the attacker as an authenticated admin user, granting access to sensitive device functions, such as user listing via the device.rsp?opt=user&cmd=list endpoint.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
12 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
This repository contains a simple proof-of-concept exploit for CVE-2018-9995, targeting various vulnerable IP camera and DVR devices (such as Novo CeNova QSee Pulnix XVR 5 in 1, Securus Night OWL DVR, HVR, and MDVR). The exploit is implemented as a shell script (cve-2018-9995.sh) that prompts the user for the target device's IP address and port, then uses curl to send a crafted HTTP request to the device's /device.rsp endpoint with a special cookie header. This request exploits an authentication bypass vulnerability to retrieve the user list from the device. The repository also includes a brief README.md describing the exploit's purpose. No hardcoded endpoints are present; the user supplies the target at runtime. The exploit is a network-based POC and does not include weaponized or post-exploitation features.
This repository is a Rust-based proof-of-concept exploit for CVE-2018-9995, a vulnerability affecting certain DVR/NVR devices. The exploit consists of a main entry point (src/main.rs) and a library (src/lib.rs) containing the core logic. The exploit works by sending a crafted HTTP request to the target device's '/device.rsp?opt=user&cmd=list' endpoint with a specific cookie header ('uid=admin'). If the device is vulnerable, it responds with a JSON object containing user credentials, which the exploit parses and displays in a formatted table. The exploit is executed via the command line, requiring the target URL and optionally a port. The code uses Rust's process management to invoke 'curl' for the HTTP request and parses the response using serde_json. No hardcoded IPs or domains are present; the target is user-supplied. The repository is structured as a standard Rust project with a clear separation between the main executable and the library logic.
This repository provides an educational exploit and scanner for CVE-2018-9995, a critical information disclosure vulnerability affecting various DVR systems. The main exploit scripts are 'dvr_scanner.py' (feature-rich, interactive, with colored output and table formatting) and 'simple_exploit.py' (minimalist, command-line only). Both scripts send a crafted HTTP GET request to the endpoint '/device.rsp?opt=user&cmd=list' with the cookie 'uid=admin' to bypass authentication and extract user credentials in JSON format. The repository also includes comprehensive documentation: 'README.md' (project overview and usage), 'FINDING_DVR_SYSTEMS.md' (methods for identifying vulnerable DVRs), 'MANUAL_TESTING.md' (manual exploitation guide), and 'QUICK_START_GUIDE.md' (setup and usage instructions). The exploit targets DVRs from several vendors (Novo, CeNova, QSee, Pulnix, XVR, Securus, Night OWL, and others) running outdated firmware. The attack vector is network-based, requiring access to the DVR's web interface. The exploit is operational, providing real credential extraction but not weaponized for mass exploitation. No fake or destructive code is present; the repository is focused on credential disclosure for educational and testing purposes.
This repository contains an operational exploit for CVE-2018-9995, targeting a range of DVR devices (Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, etc.) vulnerable to an authentication bypass. The main exploit script, 'getDVR_Credentials.py', is written in Python and requires the user to specify the target host and port. The script sends a crafted HTTP GET request to the endpoint '/device.rsp?opt=user&cmd=list' with a 'uid=admin' cookie, exploiting the authentication bypass to retrieve a list of user credentials in JSON format. The script then parses and displays the usernames, passwords, and roles in a formatted table. The repository includes a README with usage instructions, affected products, and example output. No hardcoded endpoints or credentials are present; the script is fully configurable via command-line arguments. The exploit is operational and provides direct credential extraction from vulnerable DVRs.
This repository contains a Python exploit script (exploit.py) and a README.md for CVE-2018-9995, a vulnerability affecting various DVR/NVR devices from vendors such as Novo, CeNova, QSee, Pulnix, Securus, Night OWL, and Zeisic. The exploit leverages an authentication bypass to retrieve user credentials by sending a crafted HTTP GET request to the /device.rsp endpoint with a specific Cookie header. The script prompts the user for the target's IP and port, constructs the malicious request, and extracts the username and password from the device's response. The README provides usage instructions, affected vendors, and search dorks for finding vulnerable devices. The exploit is operational and provides direct credential extraction from vulnerable devices.
This repository contains a .NET console application (DVRFaultNET) that exploits the authentication bypass vulnerability CVE-2018-9995 in certain DVR devices. The main entry point is Program.cs, which prompts the user for the URL of a target DVR camera. The application then sends an HTTP GET request to the endpoint /device.rsp?opt=user&cmd=list on the target, including the header 'Cookie: uid=admin'. If the device is vulnerable, it responds with a JSON object containing all user credentials (usernames, passwords, roles, etc.), which the tool parses and displays to the user. The codebase is structured as a typical C# Visual Studio project, with separate files for HTTP logic (ClientUrl.cs), localization (Localization.cs), the main program logic (Program.cs), and data models (RespondModel.cs). The exploit is a proof-of-concept and does not provide post-exploitation capabilities beyond credential extraction. No hardcoded endpoints are present; the user must supply the target URL. The tool supports both English and Russian localization via a locale.json file.
This repository contains a simple proof-of-concept exploit for CVE-2018-9995, targeting various vulnerable DVR and camera devices (such as Novo CeNova QSee Pulnix XVR 5 in 1, Night OWL DVR, HVR, and MDVR). The repository consists of a README.md describing the exploit's purpose and a shell script (cve-2018-9995.sh) that prompts the user for the target device's IP address and port. The script then uses curl to send a crafted HTTP request to the device's /device.rsp endpoint with a specific cookie header, exploiting an authentication bypass to retrieve the user list. The exploit is network-based and requires the attacker to know the target's IP and port. The code is a straightforward proof-of-concept and does not include advanced payloads or post-exploitation features.
This repository contains a Bash script (DVR-Exploiter.sh) designed to exploit a known vulnerability (CVE-2018-9995) in various DVR devices. The exploit targets the /device.rsp endpoint, which, when accessed with specific parameters, exposes the list of user credentials without authentication. The script prompts the user for a target IP/domain and port, then uses curl to send a crafted HTTP request to the vulnerable endpoint. The README provides context, usage instructions, a list of affected DVR brands (Novo, CeNova, QSee, Pulnix, XVR, Securus, Night OWL, etc.), and references to tutorials and dorks for finding vulnerable devices. The repository structure is simple, with the main exploit logic in a single Bash script, a README for documentation, and a screenshots directory for visual aids. The exploit is a proof-of-concept and does not include advanced payloads or post-exploitation features.
This repository provides an operational exploit for CVE-2018-9995, targeting a range of DVR devices from vendors such as Novo, CeNova, QSee, Pulnix, XVR, Securus, and Night OWL. The main exploit script, getDVR_Credentials.py, is a Python tool that sends a crafted HTTP GET request to the vulnerable DVR's web interface (specifically to /device.rsp?opt=user&cmd=list) with a malicious Cookie header (uid=admin). If the device is vulnerable, the script extracts and displays all user credentials (usernames, passwords, and roles) in a formatted table. The exploit requires the attacker to specify the target host and port, and the device must be accessible over the network. The repository includes a README with usage instructions, affected vendors, and example output. The exploit is operational and provides direct credential extraction, making it a practical tool for testing or exploitation of vulnerable DVRs.
This repository contains a Python exploit script (thecctv.py) targeting CVE-2018-9995, an authentication bypass vulnerability in certain DVR devices. The exploit works by sending a crafted HTTP GET request to the /device.rsp endpoint of a vulnerable device, using a specific cookie value to bypass authentication and retrieve the username and password. The script prompts the user for the target host and port, constructs the necessary request, and parses the response to extract credentials. The README provides usage instructions, including how to find potential targets using the ZoomEye search engine. The repository is simple, with one main exploit script, a README, and a license file. The exploit is operational and provides direct credential extraction from vulnerable DVRs.
This repository contains a Python proof-of-concept exploit for CVE-2018-9995, an authentication bypass vulnerability affecting a range of DVR devices (including TBK DVR4104, DVR4216, Novo, CeNova, QSee, Pulnix, Securus, Night OWL, and others). The exploit works by sending a crafted HTTP GET request to the endpoint '/device.rsp?opt=user&cmd=list' on the target device, using a forged 'Cookie: uid=admin' header to bypass authentication. If the device is vulnerable, the response contains a JSON object with usernames and passwords, which the script extracts and displays in a formatted table. The script supports both single-target and mass exploitation modes, with multithreading for efficiency. Results can be saved to a CSV file. The repository includes the main exploit script (CVE-2018-9995.py), a README.md with detailed vulnerability and usage information, and a requirements.txt listing Python dependencies. The exploit is a functional PoC and does not include weaponized or post-exploitation payloads.
This repository contains a Python script (dvrsploit.py) that automates exploitation of CVE-2018-9995, an authentication bypass vulnerability affecting various DVR devices. The script prompts the user for a DVR host and port, then sends a crafted HTTP GET request to the /device.rsp endpoint with a specific Cookie header to bypass authentication and retrieve the list of user accounts from the device. The result is displayed and appended to a local file (dvr_output.txt). The repository also includes a README with usage instructions and a LICENSE file. The exploit is a proof-of-concept and does not provide post-exploitation capabilities beyond information disclosure. No hardcoded endpoints are present; the target is specified at runtime. The main attack vector is network-based, targeting DVR devices accessible over HTTP.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.