CVE-2016-20016

CRITICAL EXPLOITED IN THE WILD

MVPower CCTV DVR - RCE

Title source: llm

Description

MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE, contain a web shell that is accessible via a /shell URI. A remote unauthenticated attacker can execute arbitrary operating system commands as root. This vulnerability has also been referred to as the "JAWS webserver RCE" because of the easily identifying HTTP response server field. Other firmware versions, at least from 2014 through 2019, can be affected. This was exploited in the wild in 2017 through 2022.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotearm

https://www.exploit-db.com/exploits/41471

View Code ZIP pw:eip

vulncheck_xdb

infoleak

https://github.com/MartinxMax/BloodCat

View on vulncheck_xdb

vulncheck_xdb WORKING POC

remote

https://github.com/threat9/routersploit

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Paul Davies (UHF-Satcom), Andrew Tierney (Pen Test Partners), bcoles · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/mvpower_dvr_shell_exec.rb

View Code ZIP pw:eip

References (3)

[Third Party Advisory] https://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/41471

[Exploit, Third Party Advisory] https://www.pentestpartners.com/security-blog/pwning-cctv-cameras/

Scores

CVSS v3 9.8

EPSS 0.9060

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2017-10-20

InTheWild.io 2017-01-01

CWE

CWE-78

Status published

Products (2)

mvpower/tv-7104he_firmware 1.8.4_115215b9

mvpower/tv7108he_firmware

Published Oct 19, 2022

Tracked Since Feb 18, 2026