CVE-2016-20016

CRITICAL EXPLOITED IN THE WILD

MVPower TV-7104HE and TV7108HE Firmware - Unauthenticated Remote Code Execution via Web Shell

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2016-20016 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 3 public exploits from researchers including Metasploit, Paul Davies (UHF-Satcom), Andrew Tierney (Pen Test Partners), bcoles, including a Metasploit module exploits/linux/http/mvpower_dvr_shell_exec.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated remote command execution vulnerability in MVPower DVR devices by sending arbitrary commands via the 'shell' endpoint. It includes a check method to verify vulnerability and executes a reverse shell payload.

Description

MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE, contain a web shell that is accessible via a /shell URI. A remote unauthenticated attacker can execute arbitrary operating system commands as root. This vulnerability has also been referred to as the "JAWS webserver RCE" because of the easily identifying HTTP response server field. Other firmware versions, at least from 2014 through 2019, can be affected. This was exploited in the wild in 2017 through 2022.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotearm
https://www.exploit-db.com/exploits/41471

This Metasploit module exploits an unauthenticated remote command execution vulnerability in MVPower DVR devices by sending arbitrary commands via the 'shell' endpoint. It includes a check method to verify vulnerability and executes a reverse shell payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: MVPower DVR (e.g., TV-7104HE, TV-7108HE) with firmware version 1.8.4 115215B9
No auth needed
Prerequisites: Network access to the target device · Target device must be running vulnerable MVPower DVR firmware
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/threat9/routersploit

This repository contains the RouterSploit framework, an open-source exploitation toolkit for embedded devices, including exploits, scanners, and credential testing modules. The framework is designed to target vulnerabilities in routers and IoT devices, with a structured approach to module development and testing.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Embedded devices (routers, IoT)
No auth needed
Prerequisites: Python 3.6+ · Network access to target device
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Paul Davies (UHF-Satcom), Andrew Tierney (Pen Test Partners), bcoles · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/mvpower_dvr_shell_exec.rb

This Metasploit module exploits an unauthenticated remote command execution vulnerability in MVPower DVR devices by sending arbitrary commands via the 'shell' endpoint. It includes a check method to verify vulnerability and executes a command stager for payload delivery.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: MVPower DVR (e.g., TV-7104HE, TV-7108HE) with firmware version 1.8.4 115215B9
No auth needed
Prerequisites: Network access to the target device · Target device must be running a vulnerable MVPower DVR firmware
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.9060
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2017-10-20
InTheWild.io 2017-01-01
CWE
CWE-78
Status published
Products (2)
mvpower/tv-7104he_firmware 1.8.4_115215b9
mvpower/tv7108he_firmware
Published Oct 19, 2022
Tracked Since Feb 18, 2026