207/68 Tuesday, June 10, 2025
Cybersecurity experts are warning about a new variant of the Mirai malware that exploits a Command Injection vulnerability, tracked as CVE-2024-3721, to hijack TBK DVR-4104 and DVR-4216 digital video recorder devices, commonly used in CCTV systems. The vulnerability was disclosed by a researcher known as “netsecfish” in April 2024, along with a publicly available proof-of-concept (PoC), enabling attackers to exploit the flaw and deploy malware onto affected devices.
Kaspersky reported observing active exploitation of this flaw in its Linux honeypot systems. The attackers used netsecfish’s PoC to deliver an ARM32-based Mirai binary, which connects to a command-and-control (C2) server to integrate the device into a botnet. These compromised devices are primarily used for DDoS attacks or as proxies for distributing malicious traffic. While earlier estimates suggested that over 114,000 devices were exposed to the internet and vulnerable, Kaspersky’s latest data shows about 50,000 devices remain exposed and at risk.
The situation remains concerning, as TBK Vision has not confirmed whether a security patch has been released. The issue is further complicated by the fact that the affected TBK DVR-4104 and DVR-4216 models have been rebranded under various names including Novo, CeNova, QSee, Pulnix, Night OWL, and others, making patch management difficult. The same researcher has also uncovered other critical flaws in end-of-life (EoL) D-Link devices earlier this year, underscoring how quickly cybercriminals weaponize public vulnerabilities. Administrators are strongly advised to audit all DVR systems, disconnect unpatched devices from the internet, and apply updates immediately where available to mitigate further exploitation.
