Two critical vulnerabilities in TP-Link VIGI network video recorder (NVR) systems might permit attackers to execute arbitrary commands on compromised devices.
The security issues, marked as CVE-2025-7723 and CVE-2025-7724, affect the VIGI NVR1104H-4P V1 and VIGI NVR2016H-16MP V2 models, creating considerable threats to the security of surveillance infrastructure.
Key Takeaways
1. Two critical vulnerabilities allow attackers to execute commands on TP-Link VIGI NVR devices.
2. One flaw requires login; the other can be exploited without credentials, presenting a significant risk.
3. Immediately update the device firmware for protection.
CVE-2025-7723: Authenticated Command Injection Vulnerability
CVE-2025-7723 is a high-severity operating system (OS) command injection flaw, permitting attackers with authenticated access to inject and execute arbitrary OS-level commands on vulnerable devices.
With a CVSS v4.0 score of 8.5, this vulnerability is deemed serious, as it allows attackers considerable control over the system after logging in.
Exploiting this vulnerability could empower malicious individuals to compromise surveillance footage, modify device settings, or utilize the network video recorders (NVRs) as entry points for additional attacks within an organization’s network.
CVE-2025-7724: Unauthenticated Command Injection Vulnerability
CVE-2025-7724 signifies an even greater threat due to the absence of authentication needed for exploitation.
This vulnerability, assigned a CVSS v4.0 score of 8.7, allows attackers to execute arbitrary commands on impacted VIGI NVR systems without needing to log in or supply credentials.
This flaw is particularly perilous as it can be exploited remotely by anyone with nearby network access, requiring only minimal effort or technical expertise.
Successful exploitation can fully compromise the device’s confidentiality, integrity, and availability, enabling attackers to manipulate stored video data, disrupt operations, or initiate further attacks within the local network.
Specifically affected are the VIGI NVR1104H-4P V1 devices running firmware versions before 1.1.5 Build 250518 and the VIGI NVR2016H-16MP V2 systems with firmware versions under 1.3.1 Build 250407.
| CVE ID | Title | Affected Versions | CVSS 3.1 Score | Severity |
| CVE-2025-7723 | Authenticated Command Injection | VIGI NVR1104H-4P V1 < 1.1.5 Build 250518, VIGI NVR2016H-16MP V2 < 1.3.1 Build 250407 | 8.5 | High |
| CVE-2025-7724 | Unauthenticated Command Injection | VIGI NVR1104H-4P V1 < 1.1.5 Build 250518, VIGI NVR2016H-16MP V2 < 1.3.1 Build 250407 | 8.7 | High |
Mitigations
TP-Link has issued firmware updates to rectify both vulnerabilities and strongly advises immediate application of these patches.
Users must upgrade VIGI NVR1104H-4P V1 systems to firmware version 1.1.5 Build 250518 and VIGI NVR2016H-16MP V2 devices to version 1.3.1 Build 250407.
The company underscores the necessity of verifying post-update configurations to ensure all security settings are accurately configured following the firmware update process.
Network administrators should procure the latest firmware directly from TP-Link’s official support channels and take additional network segmentation actions to reduce potential attack surfaces.
The post TP-Link Network Video Recorder Vulnerability Let Attackers Execute Arbitrary Commands appeared first on Cyber Security News.