What is the critical vulnerability found in Hunt Electronics DVR systems?

A critical vulnerability tracked as CVE-2025-6561 with a CVSS score of 9.8 has been discovered in Hunt Electronics' hybrid DVR systems. This vulnerability allows unauthenticated attackers to retrieve administrator credentials stored in plaintext directly from internet-accessible devices.

What can attackers do once they exploit this vulnerability?

Once attackers obtain the plaintext administrator credentials from the configuration file, they gain immediate and complete control over the surveillance system. This includes access to recorded footage, live camera feeds, system settings, and the ability to modify or delete surveillance data.

Is there a patch available for this vulnerability?

Yes, Hunt Electronics has released a patched firmware version V3.1.70_1806 BB50604 that addresses this critical vulnerability. Organizations should update their DVR firmware immediately.

What immediate actions should organizations take?

Organizations should immediately update their DVR firmware to version V3.1.70_1806 BB50604, isolate all affected DVRs from public internet access, disable remote access until patched, and change all DVR administrator passwords after applying the patch.

How severe is this vulnerability?

This is a critical vulnerability with a CVSS score of 9.8 out of 10, indicating maximum severity. The vulnerability requires no authentication, exposes credentials in plaintext, and can be exploited remotely against internet-accessible devices.

Why is this vulnerability particularly dangerous?

This vulnerability is particularly dangerous because it requires no authentication to exploit, stores credentials in plaintext format, can be accessed via simple HTTP requests, affects internet-accessible surveillance systems, and provides immediate administrative access to critical security infrastructure.

What should organizations do if they cannot immediately patch?

If immediate patching is not possible, organizations should isolate affected DVRs from public internet access, disable remote access capabilities, implement network segmentation to limit access, and monitor for any unauthorized access attempts until the patch can be applied.

How can organizations verify if their DVR systems are vulnerable?

Organizations can check their Hunt Electronics DVR models (HBF-09KD and HBF-16NK) and verify the firmware version. Any devices running firmware version V3.1.67_1786 BB11115 or earlier are vulnerable and should be updated to version V3.1.70_1806 BB50604 immediately.

Advisory

Critical flaw reported in Hunt Electronics DVR Systems exposes plaintext admin credentials

Q: Which Hunt Electronics DVR models are affected?

The vulnerability affects Hunt Electronics' HBF-09KD and HBF-16NK hybrid DVR models running firmware version V3.1.67_1786 BB11115 and earlier versions.

published: June 28, 2025

Take action: If you use Hunt Electronics HBF-09KD or HBF-16NK DVR systems, make sure they are isolated from the internet. Then immediately update to firmware V3.1.70_1806 BB50604 since this flaw exposes administrator passwords in plaintext. After patching, change all administrator passwords since they may have already been compromised.

Learn More

A critical vulnerability is reported in in Hunt Electronics' hybrid DVR systems that allows unauthenticated attackers to retrieve administrator credentials stored in plaintext directly from internet-accessible devices.

The vulnerability is tracked as CVE-2025-6561 (CVSS score 9.8) and affects Hunt Electronics' HBF-09KD and HBF-16NK hybrid DVR models running firmware version V3.1.67_1786 BB11115 and earlier versions.

Attackers can send a basic HTTP request to retrieve the device's configuration file without any authentication. Once obtained, this file reveals the administrator username and password in plaintext, providing immediate and complete control over the surveillance system.

Hunt Electronics has released a patched firmware version V3.1.70_1806 BB50604. Organizations operating affected devices should immediately update their DVR firmware ASAP. They should also isolate all affected DVRs from public internet access and until patched disable remote access. After patching, organizations should change all DVR administrator passwords.

Critical flaw reported in Hunt Electronics DVR Systems exposes plaintext admin credentials

Read More
Wibu Systems license management critical but impacts multiple …
CISA warns of critical authentication bypass flaw in …
Siemens and Schneider Electric issue fixes for ICS …
Kaspersky reports multiple flaws including critical inZKTeco biometric …
Critical authentication bypass flaw in Burk Technology ARC …