FortiGuard Labs researchers have recently warned about a surge in malicious attacks targeting TBK DVR devices. Cybercriminals are exploiting a five-year-old authentication bypass vulnerability, known as CVE-2018-9995, which has a CVSS score of 9.8. The flaw occurs due to an error when handling a maliciously crafted HTTP cookie. Remote attackers can exploit this vulnerability to obtain administrative privileges and gain access to camera video feeds.
TBK Vision is a video surveillance company offering network CCTV devices and related equipment, including DVRs for protecting critical infrastructure facilities. The company claims to have over 600,000 cameras and 50,000 recorders installed worldwide in various sectors such as banking, retail, and government. The National Institute of Standards and Technology (NIST) also warns that some models sold by the company, like TBK DVR4104 and DVR4216 devices, are rebranded and available on the market under different names such as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR.
In an advisory published by Fortinet, they stated, “FortiGuard Labs observed “Critical” level of attack attempts to exploit an Authentication Bypass Vulnerability in TBK DVR devices (4104/4216) with up to more than 50,000+ unique IPS detections in the month of April 2023.” On May 1, 2023, Fortinet provided an update, stating that tens of thousands of TBK DVRs available under different brands could be easily exploitable due to the public availability of proof-of-concept (PoC) code. The company emphasized that the issue is easy to exploit, and the vendor has not yet released security patches to address the flaw.
In April 2018, security researcher Fernandez Ezequiel published PoC code for this vulnerability. Fortinet has also observed a spike in exploitation attempts targeting CVE-2016-20016 (CVSS score of 9.8) in MVPower CCTV DVR models. The advisory continues, “Another notable spike to mention is IPS detections related to MVPower CCTV DVR models (CVE-2016-20016) also known as JAWS webserver RCE. Previously seen to be exploited in the wild through 2017 and on-going.”