Experts from Fortinet have warned that attackers are actively exploiting an unpatched authentication bypass vulnerability discovered in TBK DVR devices in 2018. The vulnerability, with a CVSS score of 9.8, is known as CVE-2018-9995. It allows attackers to bypass authentication on the device by using malicious HTTP cookies.
The vulnerability affects TBK DVR4104 and TBK DVR4216 devices, as well as rebrandings of these models, such as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login and MDVR. As of April 2023, there have been more than 50,000 attempts to exploit the vulnerability.
Unfortunately, no patch has been released to resolve CVE-2018-9995. As such, all owners of vulnerable devices are advised to replace their DVRs with new and supported devices as soon as possible. This is especially important for organizations that use DVR servers to store sensitive video recordings, as they are usually located on company intranets to prevent unauthorized access to data.
