CVE-2026-0854
OS Command Injection in Merit LILIN DVR/NVR Enables Remote Execution
Publication date: 2026-01-12
Last updated on: 2026-01-12
Assigner: TWCERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| merit_lilin | dvr032 | to 1.0.28.3858 (inc) |
| merit_lilin | dvr708 | to 1.3.4 (inc) |
| merit_lilin | dvr716 | to 1.3.4 (inc) |
| merit_lilin | dvr804 | to 1.3.4 (inc) |
| merit_lilin | dvr808 | to 1.3.4 (inc) |
| merit_lilin | dvr816 | to 1.3.4 (inc) |
| merit_lilin | nvr100l | to 1.1.66 (inc) |
| merit_lilin | nvr200l | to 1.1.66 (inc) |
| merit_lilin | nvr400l | to 1.1.66 (inc) |
| merit_lilin | nvr1400l | to 1.1.66 (inc) |
| merit_lilin | nvr2400l | to 1.1.66 (inc) |
| merit_lilin | nvr3216 | to 2.0.74.3921 (inc) |
| merit_lilin | nvr3416 | to 2.0.74.3921 (inc) |
| merit_lilin | nvr3416r | to 2.0.74.3921 (inc) |
| merit_lilin | nvr3816 | to 2.0.74.3921 (inc) |
| merit_lilin | nvr5832 | to 4.0.24.4043 (inc) |
| merit_lilin | nvr5832s | to 4.0.24.4043 (inc) |
| merit_lilin | nvr5104e | to 4.0.24.4078 (inc) |
| merit_lilin | nvr5208e | to 4.0.24.4078 (inc) |
| merit_lilin | nvr5416e | to 4.0.24.4078 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-0854 is an OS Command Injection vulnerability in certain Merit LILIN DVR and NVR models. It allows authenticated remote attackers to inject and execute arbitrary operating system commands on the affected devices, potentially compromising the device's security and control. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with valid credentials to remotely execute arbitrary OS commands on the affected devices, leading to potential full compromise of the device. This can impact confidentiality, integrity, and availability of the device and its data, possibly resulting in unauthorized access, data theft, device malfunction, or disruption of surveillance operations. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the firmware of the affected Merit LILIN DVR and NVR devices to versions beyond those listed as vulnerable. Refer to the official advisory (M00175) provided by Merit LILIN for the correct firmware versions to upgrade to. [1, 2]