CVE-2025-34036

CRITICAL EXPLOITED

TVT White-Labeled DVR - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-34036 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including K1P0D, Prabhukiran161.

AI-analyzed exploit summary This exploit targets a command injection vulnerability in multiple CCTV DVR vendors by manipulating the 'language' parameter in HTTP requests. It allows remote code execution by chaining commands to create and execute a reverse shell payload.

Description

An OS command injection vulnerability exists in white-labeled DVRs manufactured by TVT, affecting a custom HTTP service called "Cross Web Server" that listens on TCP ports 81 and 82. The web interface fails to sanitize input in the URI path passed to the language extraction functionality. When the server processes a request to /language/[lang]/index.html, it uses the [lang] input unsafely in a tar extraction command without proper escaping. This allows an unauthenticated remote attacker to inject shell commands and achieve arbitrary command execution as root. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.

Exploits (2)

exploitdb WORKING POC
by K1P0D · pythonremotehardware
https://www.exploit-db.com/exploits/39596

This exploit targets a command injection vulnerability in multiple CCTV DVR vendors by manipulating the 'language' parameter in HTTP requests. It allows remote code execution by chaining commands to create and execute a reverse shell payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Multiple CCTV DVR vendors (e.g., Ademco, CP PLUS, Q-See, etc.)
No auth needed
Prerequisites: Network access to the target device · Target device must be vulnerable to command injection via the 'language' parameter
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by Prabhukiran161 · poc
https://github.com/Prabhukiran161/cve-2025-34036

This repository provides a safe simulation of CVE-2025-34036, a command injection vulnerability in TVT DVR. It includes a Flask-based endpoint that mimics the vulnerable behavior for testing Nuclei templates in a controlled environment.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: TVT DVR (simulated)
No auth needed
Prerequisites: Docker for containerization · Nuclei for template testing
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory third-party-advisory exploit technical-description
https://web.archive.org/web/20160322204109/http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html
Exploit, Third Party Advisory third-party-advisory exploit
https://www.exploit-db.com/exploits/39596

Scores

CVSS v3 9.8
EPSS 0.1933
EPSS Percentile 95.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2025-06-23
CWE
CWE-78
Status published
Products (31)
Shenzhen TVT/CCTV-DVR
tvt/td-2004ts-cl-c_firmware
tvt/td-2004ts-cl_firmware
tvt/td-2008ts-cl_firmware
tvt/td-2104ts-cl-a_firmware
tvt/td-2104ts-cl_firmware
tvt/td-2104ts-hc_firmware
tvt/td-2104ts-hp_firmware
tvt/td-2108ts-cl-a_firmware
tvt/td-2108ts-cl_firmware
... and 21 more
Published Jun 24, 2025
Tracked Since Feb 18, 2026