CVE-2018-25126
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-24

Last updated on: 2025-11-24

Assigner: VulnCheck

Description
Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by many white-labeled DVR/NVR/IPC products) contains hardcoded API credentials and an OS command injection flaw in its configuration services. The web/API interface accepts HTTP/XML requests authenticated with a fixed vendor credential string and passes user-controlled fields into shell execution contexts without proper argument sanitization. An unauthenticated remote attacker can leverage the hard-coded credential to access endpoints such as /editBlackAndWhiteList and inject shell metacharacters inside XML parameters, resulting in arbitrary command execution as root. The same vulnerable backend is also reachable in some models through a proprietary TCP service on port 4567 that accepts a magic GUID preface and base64-encoded XML, enabling the same command injection sink. Firmware releases from mid-February 2018 and later are reported to have addressed this issue. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-28 UTC.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-24
Last Modified
2025-11-24
Generated
2026-06-16
AI Q&A
2025-11-24
EPSS Evaluated
2026-06-14
NVD
CVE-2018-25126
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
shenzhen_tvt_digital_technology_co_ltd nvms-9000_firmware 4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware, which is used by many white-labeled DVR/NVR/IPC products. It involves hardcoded API credentials and an OS command injection flaw in its configuration services. The web/API interface uses fixed vendor credentials and accepts HTTP/XML requests without properly sanitizing user input before passing it to shell execution contexts. An unauthenticated remote attacker can exploit this by using the hardcoded credentials to access certain endpoints and inject shell metacharacters in XML parameters, leading to arbitrary command execution with root privileges. Additionally, some models expose the same vulnerability through a proprietary TCP service on port 4567 that accepts specially formatted XML data. Firmware versions from mid-February 2018 and later have addressed this issue.

Impact Analysis

This vulnerability can have severe impacts because it allows an unauthenticated remote attacker to execute arbitrary commands as root on affected devices. This can lead to full system compromise, unauthorized access to sensitive data, disruption of device functionality, and potentially using the compromised device as a foothold for further attacks within a network.

Mitigation Strategies

To mitigate this vulnerability, update the NVMS-9000 firmware to a version released after mid-February 2018, as these versions have addressed the issue. Additionally, restrict access to the vulnerable web/API interface and the proprietary TCP service on port 4567 to trusted networks only.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2018-25126. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart