The Taiwan Computer Emergency Response Team (TWCERT/CC) has issued a vulnerability note warning of two critical security flaws in Digiever’s Network Video Recorder (NVR) product line. Tracked as CVE-2025-10264 (CVSS 10) and CVE-2025-10265 (CVSS 9.8), both vulnerabilities carry near-maximum severity ratings and expose affected systems to serious risks, including credential theft and remote code execution.
- CVE-2025-10264: Exposure of Sensitive Information
This vulnerability allows unauthenticated remote attackers to retrieve the system’s configuration file. Critically, the file contains plaintext credentials for both the NVR and its connected cameras. As TWCERT/CC explains, “Unauthenticated remote attackers can access the system configuration file and obtain plaintext credentials of the NVR and its connected cameras.”
Such exposure could allow attackers to hijack camera feeds, manipulate recordings, or pivot into broader enterprise networks.
- CVE-2025-10265: OS Command Injection
The second flaw enables unauthenticated attackers to inject and execute arbitrary operating system commands directly on the device. “Unauthenticated remote attackers can inject arbitrary OS commands and execute them on the device,” the advisory states.
This gives adversaries the ability to take full control of affected NVRs, establish persistence, deploy malware, or disable surveillance systems entirely.
The combination of credential disclosure and remote command execution creates a dangerous attack surface. Exploitation requires no prior authentication, meaning that exposed NVRs connected to the internet are particularly at risk.
Attackers could use stolen credentials to monitor or tamper with live surveillance feeds, while OS command injection could be leveraged to disable security systems during physical intrusions.
The vulnerabilities impact a wide range of Digiever NVR models, including the DS-1200, DS-2100 Pro, DS-2200 UHD, DS-4200 Pro, DS-4100-RM, DS-8×00-RM Pro+, DS-16×00-RM UHD, and others. All firmware versions up to and including x.x.x.78 are affected.
TWCERT/CC urges administrators to update immediately to firmware version x.x.x.79 or later to mitigate the risk.
- DigiEver DVR Vulnerability Under Attack by Hail Cock Botnet
- TP-Link NVR Update: Command Injection Flaws Expose Devices to Remote Code Execution
- CVE-2023-47565 Flaw in QNAP NVR Devices Exploited in the Wild
- PoC Released for Unauthenticated RCE Vulnerability in TP-Link VIGI NVR4032H Network Video Recorder
- CISA Warns of Credential Risks Tied to Oracle Cloud Breach
