Fortinet warns of a spike in attacks against TBK DVR devices

FortiGuard Labs researchers observed a worrisome level of attacks attempting to exploit an authentication bypass vulnerability in TBK DVR devices.

FortiGuard Labs researchers are warning of a spike in malicious attacks targeting TBK DVR devices. Threat actors are attempting to exploit a five-year-old authentication bypass issue, tracked as CVE-2018-9995 (CVSS score of 9.8), in TBK DVR devices.

The CVE-2018-9995 flaw is due to an error when handling a maliciously crafted HTTP cookie. A remote attacker can trigger the flaw to obtain administrative privileges and eventually gain access to camera video feeds.

TBK Vision is a video surveillance company that provides network CCTV devices and other related equipment, including DVRs for the protection of critical infrastructure facilities.

According to the company, they have over 600,000 Cameras and 50,000 Recorders installed all over the world in multiple sectors such as Banking, Retail, Government, etc.

The NIST also warns that some models sold by the company, such as TBK DVR4104 and DVR4216 devices, are also rebranded and available on the market with the bands like Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR.

“FortiGuard Labs observed “Critical” level of attack attempts to exploit an Authentication Bypass Vulnerability in TBK DVR devices (4104/4216) with upto more than 50,000+ unique IPS detections in the month of April 2023.” reads the advisory published by Fortinet.

In an update provided by Fortinet on May 1, 2023, the company states that tens of thousands of TBK DVRs available under different brands could be easily exploitable due to the public availability of PoC code. The company pointed out that the issue is easy-to-exploit.

At this time, the vendor has yet to release security patches to address the flaw.

In April 2018, security researcher Fernandez Ezequiel published proof-of-concept (PoC) code for this vulnerability.

Fortinet also warns of a spike in exploitation attempts targeting the CVE-2016-20016 (CVSS score of 9.8) in MVPower CCTV DVR models.

“Another notable spike to mention is IPS detections related to MVPower CCTV DVR models (CVE-2016-20016) also known as JAWS webserver RCE. Previously seen to be exploited in the wild through 2017 and on-going.” continues the advisory.

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, TBK DVR)