CVE-2025-34130
BaseFortify
Publication date: 2025-07-16
Last updated on: 2025-07-17
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lilin | digital_video_recorder | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an unauthenticated arbitrary file read in LILIN Digital Video Recorder (DVR) devices before firmware version 2.0b60_20200207. Attackers can access the /z/zbin/net_html.cgi endpoint to read sensitive configuration files like /zconf/service.xml without needing to log in. Accessing these files can help attackers launch further attacks such as command injection.
How can this vulnerability impact me? :
The vulnerability allows attackers to read sensitive configuration files on affected DVR devices without authentication. This can lead to further exploitation, including command injection attacks, potentially compromising the device and the network it is connected to. It has been actively exploited by botnets like FBot and Moobot, increasing the risk of widespread attacks.