CVE-2024-7339

MEDIUM EXPLOITED NUCLEI

TVT and Provision-ISR DVR - Unauthenticated Sensitive Information Exposure via /queryDevInfo

Title source: llm

Exploitation Summary

CVE-2024-7339 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including RevoltSecurities. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a Python-based exploit for CVE-2024-7339, an information leak vulnerability in DVR devices. The exploit sends a crafted XML payload to the `/queryDevInfo` endpoint to extract kernel version and other device information.

Description

A vulnerability has been found in TVT DVR TD-2104TS-CL, DVR TD-2108TS-HP, Provision-ISR DVR SH-4050A5-5L(MM) and AVISION DVR AV108T and classified as problematic. This vulnerability affects unknown code of the file /queryDevInfo. The manipulation leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-273262 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Exploits (1)

nomisec WORKING POC 16 stars

by RevoltSecurities · infoleak

https://github.com/RevoltSecurities/CVE-2024-7339

View Code ZIP pw:eip

This repository contains a Python-based exploit for CVE-2024-7339, an information leak vulnerability in DVR devices. The exploit sends a crafted XML payload to the `/queryDevInfo` endpoint to extract kernel version and other device information.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: DVR devices (unspecified vendor/model)

No auth needed

Prerequisites: Network access to the target DVR device

MITRE ATT&CK

T1592 - Gather Victim Host Information

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

TVT DVR Sensitive Device - Information Disclosure

MEDIUMVERIFIEDby Stuxctf

References (4)

Core 4

Core References

Permissions Required, VDB Entry vdb-entry

https://vuldb.com/?id.273262

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.273262

Third Party Advisory, VDB Entry third-party-advisory

https://vuldb.com/?submit.379373

Exploit, Third Party Advisory exploit

https://netsecfish.notion.site/Sensitive-Device-Information-Disclosure-in-TVT-DVR-fad1cce703d946969be5130bf3aaac0d?pvs=4

Scores

CVSS v3 5.3

EPSS 0.3344

EPSS Percentile 98.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

VulnCheck KEV 2024-09-14

CWE

CWE-200

Status published

Products (28)

provision-isr/sh-4050a5-5l\(mm\)_firmware

provision-isr/sh-4050a5-5l\(mm\)_firmware 1.3.3.20657b180918.d06.u2\(4a41t\)

provision-isr/sh-4050a5-5l\(mm\)_firmware 1.3.4.22966b181219.d00.u1\(4a21s\)

provision-isr/sh-4050a5-5l\(mm\)_firmware 1.3.4.22966b181219.d14.u1\(8a41t\)

provision-isr/sh-4050a5-5l\(mm\)_firmware 1.3.4.22966b181219.d44.u1\(16a82t\)

provision-isr/sh-4050a5-5l\(mm\)_firmware 1.3.4.24513b190218.d00.u1\(8a21s\)

provision-isr/sh-4050a5-5l\(mm\)_firmware 1.3.4.24879b190222.d00.u2\(8a21s\)

tvt/avision_av108t_firmware

tvt/avision_av108t_firmware 1.3.3.20657b180918.d06.u2\(4a41t\)

tvt/avision_av108t_firmware 1.3.4.22966b181219.d00.u1\(4a21s\)

... and 18 more

Published Aug 01, 2024

Tracked Since Feb 18, 2026