CVE-2024-3721
Published: 13 April 2024
Summary
CVE-2024-3721 is a medium-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 6.3 (Medium).
Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A vulnerability classified as critical was identified in TBK DVR-4104 and DVR-4216 devices up to version 20240412. It resides in the handling of the file /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___, where manipulation of the mdb or mdc argument permits OS command injection. The flaw is tracked as CWE-78 and received a CVSS 3.1 score of 6.3.
The issue can be exploited remotely by an authenticated attacker with low privileges and without user interaction, resulting in limited impacts to confidentiality, integrity, and availability. Public exploit code has been released that demonstrates the command injection.
The provided references consist of a public GitHub repository containing proof-of-concept code and several Vuldb entries; none of the references describe vendor patches, workarounds, or official mitigation guidance.
EPSS for the CVE reached a peak of 0.8542 and currently stands at 0.7675, indicating substantial and sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-32296
Vulnerability details
A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing of the file /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___. The manipulation of the argument mdb/mdc leads to os command injection. The attack may…
more
be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-260573 was assigned to this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.