CVE-2025-34132

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-34132
A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 via the Server field in the NTPUpdate configuration. The web service at /z/zbin/dvr_box fails to properly sanitize input, allowing remote attackers to inject and execute arbitrary commands as root by supplying specially crafted XML data to the DVRPOST interface.
CVSS

No CVSS.

References
Link Resource
https://blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day/
https://ducklingstudio.blog.fc2.com/blog-entry-400.html
https://www.meritlilin.com/assets/uploads/support/file/M00158-TW.pdf
https://www.vulncheck.com/advisories/lilin-dvr-multiple-vulnerabilities
Configurations

No configuration.

History

27 Oct 2025, 21:15

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad de inyección de comandos en los dispositivos LILIN Digital Video Recorder (DVR) anteriores a la versión de firmware 2.0b60_20200207 a través del campo Servidor en la configuración de NTPUpdate. El servicio web en /z/zbin/dvr_box no depura correctamente la entrada, lo que permite a atacantes remotos inyectar y ejecutar comandos arbitrarios como root mediante el suministro de datos XML especialmente manipulados a la interfaz DVRPOST. 777
Summary (en) A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 via the Server field in the NTPUpdate configuration. The web service at /z/zbin/dvr_box fails to properly sanitize input, allowing remote attackers to inject and execute arbitrary commands as root by supplying specially crafted XML data to the DVRPOST interface. 777 (en) A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 via the Server field in the NTPUpdate configuration. The web service at /z/zbin/dvr_box fails to properly sanitize input, allowing remote attackers to inject and execute arbitrary commands as root by supplying specially crafted XML data to the DVRPOST interface.
References
  • () https://ducklingstudio.blog.fc2.com/blog-entry-400.html -

16 Jul 2025, 22:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-07-16 22:15

Updated : 2025-10-27 21:15

NVD link : CVE-2025-34132

Mitre link : CVE-2025-34132

CVE.ORG link : CVE-2025-34132

JSON object : View

Products Affected

No product.

CWE
CWE-20

Improper Input Validation

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')