CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-34129: LILIN DVR RCE via Malicious FTP/NTP Configuration

8.7 CVSS

Description

A command injection vulnerability exists in LILIN LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 due to insufficient sanitization of the FTP and NTP Server fields in the service configuration. An attacker with access to the configuration interface can upload a malicious XML file with injected shell commands in these fields. Upon subsequent configuration syncs, these commands are executed with elevated privileges. This vulnerability was exploited in the wild by the Moobot botnets.

Known Exploited

🚨 Marked as known exploited on July 16th, 2025 (1 day ago).

Classification

CVE ID: CVE-2025-34129

CVSS Base Severity: HIGH

CVSS Base Score: 8.7

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem Types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-20 Improper Input Validation

Affected Products

Vendor: Merit LILIN

Product: DVR Firmware

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.32% (probability of being exploited)

EPSS Percentile: 54.51% (scored less or equal to compared to others)

EPSS Date: 2025-07-17 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-34129
https://blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day/
https://www.meritlilin.com/assets/uploads/support/file/M00158-TW.pdf
https://www.vulncheck.com/advisories/lilin-dvr-multiple-vulnerabilities

Timeline

2025-07-16 22:40:17 UTC
CVE

LILIN DVR RCE via Malicious FTP/NTP Configuration
2025-07-16 22:41:17 UTC
🚨 Marked as Known Exploited