How to fix EUVD-2025-18965?

Within 24 hours: Identify all TVT white-labeled DVRs in your environment and immediately isolate those accessible via TCP ports 81/82 from untrusted networks; disable external access and restrict to management VLANs only. Within 7 days: Implement WAF rules to block malicious URI patterns targeting /language/ endpoints with command injection payloads; establish network segmentation to prevent DVR-to-critical-infrastructure communication. Within 30 days: Contact TVT for security updates and timeline; replace or decommission affected devices if patches remain unavailable; conduct forensic analysis on all DVRs for signs of prior compromise given active exploitation evidence from February 6, 2025.

Is Command Injection affected by EUVD-2025-18965?

A critical unauthenticated remote code execution vulnerability affects white-labeled DVR systems from TVT, allowing attackers to gain root-level control without authentication.

EUVD-2025-18965

| CVE-2025-34036 CRITICAL

2025-06-24 [email protected]

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 22:36 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 22:36 euvd

EUVD-2025-18965

PoC Detected

Nov 20, 2025 - 22:15 vuln.today

Public exploit code

CVE Published

Jun 24, 2025 - 01:15 nvd

CRITICAL 9.8

Description

An OS command injection vulnerability exists in white-labeled DVRs manufactured by TVT, affecting a custom HTTP service called "Cross Web Server" that listens on TCP ports 81 and 82. The web interface fails to sanitize input in the URI path passed to the language extraction functionality. When the server processes a request to /language/[lang]/index.html, it uses the [lang] input unsafely in a tar extraction command without proper escaping. This allows an unauthenticated remote attacker to inject shell commands and achieve arbitrary command execution as root. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.

Analysis

White-labeled DVRs manufactured by TVT contain an unauthenticated OS command injection in the 'Cross Web Server' HTTP service on ports 81/82. The URI path handling for language extraction fails to sanitize input, enabling remote attackers to execute arbitrary commands on the surveillance DVR.

Technical Context

The custom 'Cross Web Server' on TCP ports 81 and 82 processes URI paths for language/locale extraction. The path component is passed to system commands without sanitization. These DVRs are white-labeled under many brand names, making the true scope of affected devices much larger than the TVT brand alone.

Affected Products

['TVT DVRs with Cross Web Server', 'White-labeled variants (multiple brands)']

Remediation

Update DVR firmware. Block ports 81/82 from the internet. Isolate DVRs on a dedicated surveillance VLAN. Use VPN for remote DVR access.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +10.9

CVSS: +49

POC: +20

EUVD-2025-18965 vulnerability details – vuln.today

Back

EUVD-2025-18965

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-18965

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code