The vulnerability of the microprogrammed software of TBK DVR4104 and TBK DVR4216 devices lies in the lack of measures to neutralize special elements used in the operating system’s command set. This allows attackers to execute arbitrary commands or cause malfunctions in the device.

🗓️ 09 Jun 2025 00:00:00Reported by FSTEC of Russia — Information Security Threat DatabaseType

bdu_fstec

bdu_fstec🔗 bdu.fstec.ru👁 3 Views

TBK DVR4104 and DVR4216 have a microprogramming flaw allowing arbitrary commands via crafted POST requests.

Reporter	Title	Published	Views	Family All 19
ATTACKERKB	CVE-2024-3721	13 Apr 202400:00	–	attackerkb
Circl	CVE-2024-3721	12 May 202407:03	–	circl
CNNVD	TBK DVR-4104、DVR-4216 操作系统命令注入漏洞	13 Apr 202400:00	–	cnnvd
CVE	CVE-2024-3721	13 Apr 202412:00	–	cve
Cvelist	CVE-2024-3721 TBK DVR-4104/DVR-4216 os command injection	13 Apr 202412:00	–	cvelist
NVD	CVE-2024-3721	13 Apr 202412:15	–	nvd
OpenVAS	TBK DVR devices OS Command Injection Vulnerability (Apr 2024) - Active Check	7 May 202400:00	–	openvas
Positive Technologies	PT-2024-27378	13 Apr 202400:00	–	ptsecurity
Qualys Blog	What Security Teams Need to Know as PHP and IoT Exploits Surge	30 Oct 202512:35	–	qualysblog
RedhatCVE	CVE-2024-3721	23 May 202510:13	–	redhatcve

Source	Link
github	www.github.com/netsecfish/tbk_dvr_command_injection
vuldb	www.vuldb.com/
vuldb	www.vuldb.com/
vuldb	www.vuldb.com/
securitylab	www.securitylab.ru/news/560183.php
web	www.web.nvd.nist.gov/view/vuln/detail

09 Jun 2025 00:00Current

7.5High risk

Vulners AI Score7.5

CVSS 36.3

CVSS 26.5

EPSS0.86489

dvr devices microprogramming flaw parameter handling special elements arbitrary commands crafted requests