Command Injection Vulnerability in VIGI NVR Products by TP-Link
CVE-2025-7723

8.5HIGH

Key Information:

Vendor

Tp-link Systems Inc.

Status
Vigi Nvr1104h-4p V1
Vigi Nvr2016h-16mp V2
Vendor
CVE Published:
22 July 2025

What is CVE-2025-7723?

A command injection vulnerability has been identified in TP-Link's VIGI NVR1104H-4P V1 and VIGI NVR2016H-16MP V2 models. This vulnerability can be exploited after the user has authenticated, allowing potential attackers to execute arbitrary commands on the affected systems. Users are encouraged to upgrade to the latest firmware versions to mitigate this risk. The vulnerable firmware versions include VIGI NVR1104H-4P V1 before 1.1.5 Build 250518 and VIGI NVR2016H-16MP V2 before 1.3.1 Build 250407.

Affected Version(s)

VIGI NVR1104H-4P V1 0 < 1.1.5 Build 250518

VIGI NVR2016H-16MP V2 0 < 1.3.1 Build 250407

References

https://www.tp-link.com/us/support/faq/4547/
vendor-advisory
https://www.tp-link.com/jp/support/download/vigi-nvr1104h...
patch
https://www.tp-link.com/jp/support/download/vigi-nvr2016h...
patch

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-7723 : Command Injection Vulnerability in VIGI NVR Products by TP-Link