Command Injection Vulnerability in LILIN Digital Video Recorders
CVE-2025-34132

9.3CRITICAL

Key Information:

Vendor

Merit Lilin

Status
Dvr Firmware
Vendor
CVE Published:
16 July 2025

What is CVE-2025-34132?

A command injection vulnerability affects LILIN Digital Video Recorder (DVR) devices before firmware version 2.0b60_20200207. This vulnerability exists due to inadequate input sanitization in the Server field of the NTPUpdate configuration. Attackers can exploit this flaw by sending specially crafted XML data to the DVRPOST interface, enabling them to execute arbitrary commands with root privileges. The compromised web service at /z/zbin/dvr_box does not sufficiently validate input, resulting in significant security risks for users of these DVR devices.

Affected Version(s)

DVR Firmware * < 2.0b60_20200207

References

https://blog.netlab.360.com/multiple-botnets-are-spreadin...
third-party-advisorytechnical-description
https://www.meritlilin.com/assets/uploads/support/file/M0...
vendor-advisorypatch
https://www.vulncheck.com/advisories/lilin-dvr-multiple-v...
third-party-advisory

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

360 Netlab
.