CVE-2025-34036

high-risk

Published 2025-06-24

An OS command injection vulnerability exists in white-labeled DVRs manufactured by TVT, affecting a custom HTTP service called "Cross Web Server" that listens on TCP ports 81 and 82. The web interface fails to sanitize input in the URI path passed to the language extraction functionality. When the server processes a request to /language/[lang]/index.html, it uses the [lang] input unsafely in a tar extraction command without proper escaping. This allows an unauthenticated remote attacker to inject shell commands and achieve arbitrary command execution as root. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.

Do I need to act?

10.9% chance of exploitation in next 30 days

EPSS score — higher than 89% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (20)

Td-2108Ts-Cl Firmware

Td-2108Ts-Cl-A Firmware

Td-2116Ts-Cl Firmware

Td-2104Ts-Hc Firmware

Td-2108Ts-Hc Firmware

Td-2116Ts-Hc Firmware

Td-2104Ts-Hp Firmware

Td-2108Ts-Hp Firmware

Td-2116Te-Hp Firmware

Td-2704Ts-Hc Firmware

Td-2708Ts-Hc Firmware

Td-2716Te-Hc Firmware

Td-2716Te-Hc-A Firmware

Td-2716Tc-Hc Firmware

Td-2732Tc-Hc Firmware

Td-2716Td-Hc Firmware

Td-2732Td-Hc Firmware

Td-2704Ts-Hp Firmware

Td-2708Ts-Hp Firmware

Td-2708Te-Hp Firmware

Affected Vendors

Tvt

References (4)

Third Party Advisory https://vulncheck.com/advisories/shenzhen-tvt-cctv-dvr-command-injection

Exploit https://web.archive.org/web/20160322204109/http://www.kerneronsec.com/2016/02/re...

Exploit https://www.exploit-db.com/exploits/39596

Exploit https://web.archive.org/web/20160322204109/http://www.kerneronsec.com/2016/02/re...

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 11/34 · Low

Exposure 22/34 · High