CVE-2026-0854
Unknown Unknown - Not Provided
OS Command Injection in Merit LILIN DVR/NVR Enables Remote Execution

Publication date: 2026-01-12

Last updated on: 2026-01-12

Assigner: TWCERT/CC

Description
Certain DVR/NVR models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-12
Last Modified
2026-01-12
Generated
2026-06-16
AI Q&A
2026-01-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-0854
EUVD
EUVD-2026-1947
Affected Vendors & Products
Showing 20 associated CPEs
Vendor Product Version / Range
merit_lilin dvr032 to 1.0.28.3858 (inc)
merit_lilin dvr708 to 1.3.4 (inc)
merit_lilin dvr716 to 1.3.4 (inc)
merit_lilin dvr804 to 1.3.4 (inc)
merit_lilin dvr808 to 1.3.4 (inc)
merit_lilin dvr816 to 1.3.4 (inc)
merit_lilin nvr100l to 1.1.66 (inc)
merit_lilin nvr200l to 1.1.66 (inc)
merit_lilin nvr400l to 1.1.66 (inc)
merit_lilin nvr1400l to 1.1.66 (inc)
merit_lilin nvr2400l to 1.1.66 (inc)
merit_lilin nvr3216 to 2.0.74.3921 (inc)
merit_lilin nvr3416 to 2.0.74.3921 (inc)
merit_lilin nvr3416r to 2.0.74.3921 (inc)
merit_lilin nvr3816 to 2.0.74.3921 (inc)
merit_lilin nvr5832 to 4.0.24.4043 (inc)
merit_lilin nvr5832s to 4.0.24.4043 (inc)
merit_lilin nvr5104e to 4.0.24.4078 (inc)
merit_lilin nvr5208e to 4.0.24.4078 (inc)
merit_lilin nvr5416e to 4.0.24.4078 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-0854 is an OS Command Injection vulnerability in certain Merit LILIN DVR and NVR models. It allows authenticated remote attackers to inject and execute arbitrary operating system commands on the affected devices, potentially compromising the device's security and control. [1, 2]

Impact Analysis

This vulnerability can allow an attacker with valid credentials to remotely execute arbitrary OS commands on the affected devices, leading to potential full compromise of the device. This can impact confidentiality, integrity, and availability of the device and its data, possibly resulting in unauthorized access, data theft, device malfunction, or disruption of surveillance operations. [1, 2]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the firmware of the affected Merit LILIN DVR and NVR devices to versions beyond those listed as vulnerable. Refer to the official advisory (M00175) provided by Merit LILIN for the correct firmware versions to upgrade to. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0854. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart