A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 via the Server field in the NTPUpdate configuration. The web service at /z/zbin/dvr_box fails to properly sanitize input, allowing remote attackers to inject and execute arbitrary commands as root by supplying specially crafted XML data to the DVRPOST interface. 777
History

Thu, 17 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 16 Jul 2025 21:45:00 +0000

Type Values Removed Values Added
Description A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 via the Server field in the NTPUpdate configuration. The web service at /z/zbin/dvr_box fails to properly sanitize input, allowing remote attackers to inject and execute arbitrary commands as root by supplying specially crafted XML data to the DVRPOST interface. 777
Title LILIN DVR Command Injection via NTPUpdate in dvr_box
Weaknesses CWE-20
CWE-78
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2025-07-16T21:26:51.852Z

Updated: 2025-07-17T13:39:06.871Z

Reserved: 2025-04-15T19:15:22.562Z

Link: CVE-2025-34132

cve-icon Vulnrichment

Updated: 2025-07-17T13:39:00.517Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-07-16T22:15:24.823

Modified: 2025-07-17T21:15:50.197

Link: CVE-2025-34132

cve-icon Redhat

No data.