A significant spike in exploitation attempts targeting TVT NVMS9000 DVRs has been detected, peaking on April 3, 2025, with over 2,500 unique IPs scanning for vulnerable devices.
The attacks attempt to exploit an information disclosure vulnerability first disclosed by an SSD Advisory in May 2024, which published the full exploitation details on retrieving admin credentials in cleartext using a single TCP payload.
The exploitation results in an authentication bypass, allowing attackers to execute administrative commands on the device without restriction.
According to the threat monitoring platform GreyNoise, which detected the exploitation activity, it’s likely tied to a Mirai-based malware that seeks to incorporate the devices into its botnet.
Typically, infected devices are then used to proxy malicious traffic, cryptomining, or launch distributed denial of service (DDoS) attacks.
In the past month, GreyNoise logged 6,600 distinct IPs associated with this activity, with all of them confirmed to be malicious and non-spoofable.
Most of the attacks originate from Taiwan, Japan, and South Korea, while the majority of the targeted devices are based in the U.S., the U.K., and Germany.
.jpg)
Source: GreyNoise
The TVT NVMS9000 DVR is a digital video recorder made by the Shenzen-based TVT Digital Technology Co., Ltd.
These DVRs are used primarily in security and surveillance systems to record, store, and manage video footage from security cameras.
As DVRs are commonly internet-connected, they have been historically targeted by various botnets, with some even leveraging five-year-old flaws.
Some recent examples of botnets targeting exposed DVRs include HiatusRAT, Mirai, and FreakOut.
According to SSD’s advisory, customers should upgrade to firmware version 1.3.4 or later to fix the flaw.
If upgrading is impossible, it is recommended that public internet access to DVR ports be restricted and that incoming requests from the IP addresses listed by GreyNoise be blocked.
Signs of Mirai infections on DVRs include outbound traffic spikes, sluggish performance, frequent crashes or reboots, high CPU/memory usage even when idle, and altered configurations.
If any of those are spotted, disconnect the DVR, perform a factory reset, update to the latest firmware, and then isolate it from the main network.
The last firmware release for the NVMS9000 was in 2018, so it is unclear if the devices are still supported.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
