Outbreak Alert
DVR camera system vulnerability actively exploited in the wild
FortiGuard Labs observed "Critical" level of attack attempts to exploit an Authentication Bypass Vulnerability in TBK DVR devices (4104/4216) with upto more than 50,000+ unique IPS detections in the month of April 2023. The 5-year-old vulnerability (CVE-2018-9995) is due to an error when handling a maliciously crafted HTTP cookie. A remote attacker may be able to exploit this flaw to bypass authentication and obtain administrative privileges eventually leading access to camera video feeds. Learn More »
Common Vulnerabilities and Exposures
Background
TBK Vision is a video surveillance company which provides network CCTV devices and other related equipment such as DVRs for the protection of critical infrastructure facilities. According to the vendor website, they have over 600,000 Cameras and 50,000 Recorders installed all over the world in multiple sectors such as Banking, Retail, Government etc. According to the NIST NVD database, TBK DVR4104 and DVR4216 devices are also rebranded and sold as other brands such as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR. Another notable spike to mention is IPS detections related to MVPower CCTV DVR models (CVE-2016-20016) also known as JAWS webserver RCE. Previously seen to be exploited in the wild through 2017 and on-going. See additional resources for more information.
Threat Radar Overall Score:
 |
CVSS Rating | 9.0 |
 |
FortiRecon Score | 92/100 |
 |
Known Exploited | No |
 |
Exploit Prediction Score | 90.29% |
 |
FortiGuard Telemetry | 43996 |
Latest Development
Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.
May 10, 2018: Fortinet customers remain protected by the IPS signature to block attack attempts related to vulnerable TBK DVR devices. (CVE-2018-9995)
May 1, 2023: With tens of thousands of TBK DVRs available under different brands, publicly-available PoC code, and an easy-to-exploit makes this vulnerability an easy target for attackers. The recent spike in IPS detections shows that network camera devices remain a popular target for attackers.
FortiGuard Labs is not aware of any patches provided by the vendor and recommends organizations to review installed models of CCTV camera systems and related equipment for vulnerable models.
FortiGuard Cybersecurity Framework
Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.
-
IPS
-
Outbreak Detection
-
Assisted Response Services
-
Automated Response
-
InfoSec Services
-
Attack Surface Monitoring (Inside & Outside)
Threat Intelligence
Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.
Indicators of compromise
References
Sources of information in support and relation to this Outbreak and vendor.