Command Injection Vulnerability in NVMS-9000 from Shenzhen TVT Digital Technology
CVE-2018-25126

9.3CRITICAL

Key Information:

Vendor: Shenzhen Tvt Digital Technology Co., Ltd.
Status: Nvms-9000
Vendor: CVE Published:; 24 November 2025

🔔 Create Shenzhen Tvt Digital Technology Co., Ltd. Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2018-25126?

The NVMS-9000 firmware by Shenzhen TVT Digital Technology is susceptible to a serious security flaw involving hardcoded API credentials and an OS command injection vulnerability. This vulnerability allows unauthenticated attackers to exploit fixed vendor credentials to access specific endpoints, where they can inject malicious commands via user-controlled XML parameters. The flaw lies in the lack of proper input sanitization in the API, enabling remote command execution with root privileges. Additional risks arise from a TCP service on port 4567, which can also be manipulated to exploit the command injection vulnerability. It's crucial for users to upgrade to firmware versions released after mid-February 2018 to mitigate these risks.

Affected Version(s)

NVMS-9000 0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2018-25126 - Proof of Concept