Back to search
CVE-2025-34132
Published: Jul 16, 2025
Modified: May 15, 2026
PUBLISHED
Description
A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 via the Server field in the NTPUpdate configuration. The web service at /z/zbin/dvr_box fails to properly sanitize input, allowing remote attackers to inject and execute arbitrary commands as root by supplying specially crafted XML data to the DVRPOST interface.
| Vendor | Product | Versions |
|---|---|---|
Merit LILIN | DVR Firmware | affected 0 - < 2.0b60_20200207 |
References
https://blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day/
third-party-advisory
technical-description
https://www.meritlilin.com/assets/uploads/support/file/M00158-TW.pdf
vendor-advisory
patch
https://www.vulncheck.com/advisories/lilin-dvr-multiple-vulnerabilities
third-party-advisory
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now