A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 via the Server field in the NTPUpdate configuration. The web service at /z/zbin/dvr_box fails to properly sanitize input, allowing remote attackers to inject and execute arbitrary commands as root by supplying specially crafted XML data to the DVRPOST interface. 777
Metrics
Affected Vendors & Products
References
History
Thu, 17 Jul 2025 14:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Wed, 16 Jul 2025 21:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 via the Server field in the NTPUpdate configuration. The web service at /z/zbin/dvr_box fails to properly sanitize input, allowing remote attackers to inject and execute arbitrary commands as root by supplying specially crafted XML data to the DVRPOST interface. 777 | |
Title | LILIN DVR Command Injection via NTPUpdate in dvr_box | |
Weaknesses | CWE-20 CWE-78 |
|
References |
| |
Metrics |
cvssV4_0
|

Status: PUBLISHED
Assigner: VulnCheck
Published: 2025-07-16T21:26:51.852Z
Updated: 2025-07-17T13:39:06.871Z
Reserved: 2025-04-15T19:15:22.562Z
Link: CVE-2025-34132

Updated: 2025-07-17T13:39:00.517Z

Status : Awaiting Analysis
Published: 2025-07-16T22:15:24.823
Modified: 2025-07-17T21:15:50.197
Link: CVE-2025-34132

No data.