FortiGuard Labs recently warned in an outbreak alert of a five-year-old flaw being abused by threat actors, affecting TBK digital video recording (DVR) devices. This severe security vulnerability, which has been designated CVE-2018-9995 (CVSS score: 9.8), is a critical authentication bypass issue that allows remote attackers to acquire elevated privileges.
Technical Description of CVE-2018-9995
On May 10, 2018, Fortinet advised that their customers were protected by an IPS signature which could block any attack attempts related to the vulnerable TBK DVR devices. Fast forward to May 1, 2023 and it’s evident that with the sheer number of TBK DVRs out there, plus the PoC code which can easily be exploited, this vulnerability remains an attractive target for hackers. FortiGuard Labs has reported an increase in IPS detections, which further confirms that network camera devices are much coveted by attackers. As the vendor has yet to supply any patches, Fortinet suggests reviewing all CCTV systems and related equipment for vulnerable models.
In April 2023, FortiGuard Labs noticed a considerable surge in attempts to take advantage of a Authentication Bypass Vulnerability in TBK DVR devices, with more than 50,000+ unique IP detections. This vulnerability, CVE-2018-9995, is 5-years-old and was caused by a problem when processing a malicious HTTP cookie. If successful, an attacker could use this exploit to bypass authentication and gain administrative privileges, potentially allowing access to the cameras’ video feeds.
Affected models include the TBK DVR4104 and DVR4216 product lines, as well as the rebranded and sold CeNova, DVR Login, HVR Login, MDVR Login, Night OWL, Novo, QSee, Pulnix, Securus, and XVR 5 in 1 devices. Furthermore, Fortinet warned of a sharp increase in the exploitation of CVE-2016-20016 (CVSS score: 9.8) relating to MVPower CCTV DVR models, such as TV-7104HE 1.8.4 115215B9 and TV7108HE.
What Is TBK Vision?
TBK Vision is a video surveillance firm supplying network CCTV devices, DVRs and other associated gadgets to secure critical infrastructure facilities. Per their vendor website, they have a global reach, with more than 600,000 Cameras and 50,000 Recorders installed across multiple markets, including Banking, Retail, Government and more. According to the NIST NVD database, TBK DVR4104 and DVR4216 models are also available under other brand names such as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: