Cybersecurity researchers have identified a significant spike in exploitation attempts targeting TVT NVMS9000 digital video recorders (DVRs), with activity surging to three times normal levels in early April 2025.
This new campaign appears to be linked to the infamous Mirai botnet, which continues to evolve by incorporating new vulnerabilities into its arsenal of attack vectors.
The exploitation targets an information disclosure vulnerability in TVT surveillance systems that can be leveraged to gain full administrative control over affected devices.
Once compromised, these systems can be enlisted into the botnet’s network, potentially contributing to distributed denial-of-service (DDoS) attacks and other malicious activities characteristic of Mirai operations.
GreyNoise researchers noted that the exploitation attempts peaked on April 3, 2025, with over 2,500 unique IP addresses detected targeting these systems.
Their analysis confirmed substantial overlap with known Mirai activity patterns, strongly suggesting this campaign represents an expansion of the notorious botnet’s infrastructure.
The primary targets of this campaign are systems located in the United States, United Kingdom, and Germany, while the attacking infrastructure predominantly originates from Taiwan, Japan, and South Korea. This geographically diverse attack surface underscores the global nature of this threat.
TVT Digital Technology Co., Ltd., the Shenzhen-based manufacturer of the affected NVMS9000 DVRs, has reportedly served customers in more than 120 countries, indicating the potentially vast scope of vulnerable systems.
Infection Mechanism
The exploitation process begins with attackers scanning for internet-exposed TVT NVMS9000 interfaces.
.webp)
Upon discovering vulnerable systems, the attackers exploit the information disclosure vulnerability to extract administrative credentials. This initial access vector requires minimal sophistication, making it particularly dangerous as it lowers the technical barrier for exploitation.
Once administrative control is obtained, the malware performs a series of commands to download and execute the Mirai payload.
The infection persists by modifying startup scripts and configurations, ensuring the malware maintains its presence even after system reboots.
Security experts recommend immediate action including blocking known malicious IP addresses, applying all available patches, restricting public internet access to DVR interfaces, and implementing comprehensive network monitoring to detect unusual scanning or exploitation attempts.
Equip your team with real-time threat analysis With ANY.RUN’s interactive cloud sandbox -> Try 14-day Free Trial
The post New Mirai Botnet Exploiting TVT DVRs To Gain Administrative Control appeared first on Cyber Security News.
The original article found on Cyber Security News Read More
