Unauthenticated OS Command Injection in VIGI NVR Products by TP-Link
CVE-2025-7724

9.3CRITICAL

Key Information:

Vendor

Tp-link Systems Inc.

Status
Vigi Nvr1104h-4p V1
Vigi Nvr2016h-16mp V2
Vendor
CVE Published:
22 July 2025

What is CVE-2025-7724?

An unauthenticated OS command injection vulnerability has been identified in specific versions of TP-Link's VIGI NVR1104H-4P and VIGI NVR2016H-16MP products. This vulnerability allows attackers to execute arbitrary commands on the system without authentication, potentially compromising the integrity and confidentiality of the device. Users are recommended to upgrade to the latest firmware versions to mitigate this risk.

Affected Version(s)

VIGI NVR1104H-4P V1 0 < 1.1.5 Build 250518

VIGI NVR2016H-16MP V2 0 < 1.3.1 Build 250407

References

https://www.tp-link.com/us/support/faq/4547/
vendor-advisory
https://www.tp-link.com/jp/support/download/vigi-nvr1104h...
patch
https://www.tp-link.com/jp/support/download/vigi-nvr2016h...
patch

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-7724 : Unauthenticated OS Command Injection in VIGI NVR Products by TP-Link