Cyber Resilience

CVE-2025-34130

HighPublic PoC

Published: 16 July 2025

Published
16 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0167 82.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34130 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in 360 (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, ranked in the top 17.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

An unauthenticated arbitrary file read vulnerability affects LILIN Digital Video Recorder devices running firmware versions prior to 2.0b60_20200207. The flaw resides in the /z/zbin/net_html.cgi endpoint and is associated with CWE-200 and CWE-306, enabling remote attackers to retrieve arbitrary files without authentication or user interaction. The CVSS 4.0 score of 8.7 reflects the network-accessible, high-impact confidentiality exposure.

Attackers can directly request sensitive configuration files such as /zconf/service.xml through the vulnerable endpoint. Successful reads have been chained with other issues to enable command injection and device compromise, with the vulnerability actively leveraged in the wild by the FBot and Moobot botnets.

Vendor and third-party advisories recommend upgrading affected LILIN DVR units to firmware 2.0b60_20200207 or later. The referenced Netlab 360 analysis and VulnCheck advisory document the exploitation activity and provide additional technical context for detection and remediation.

The vulnerability has seen confirmed real-world use by multiple botnets since disclosure, although the EPSS score has remained flat at 0.0167.

EU & UK References

Vulnerability details

An unauthenticated arbitrary file read exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 via the /z/zbin/net_html.cgi endpoint. This vulnerability allows attackers to read sensitive configuration files, such as /zconf/service.xml, which can then be used to…

more

facilitate further attacks including command injection. The vulnerability has been exploited in the wild in conjunction with other issues by botnets like FBot and Moobot.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

360
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-200 CWE-306

Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.

addresses: CWE-200 CWE-306

Privacy and security architectures require controls to protect sensitive information from unauthorized exposure across the system lifecycle.

addresses: CWE-200 CWE-306

Inventory identifies all systems holding or processing data, enabling detection of unauthorized exposure paths before exploitation.

addresses: CWE-306 CWE-200

Protection planning for critical infrastructure directly calls for authentication of access to essential functions before any operation is permitted.

addresses: CWE-306 CWE-200

Risk assessments evaluate exposure of critical functions lacking authentication and prioritize corrective controls.

addresses: CWE-306 CWE-200

Requires authentication gates on critical functions that must remain unavailable to anonymous public users.

addresses: CWE-306 CWE-200

Treats remote activation of surveillance-capable devices as a critical function that must be disabled or authenticated.

addresses: CWE-200 CWE-306

Decoys supply misleading data and log access attempts, directly detecting and deflecting unauthorized information exposure.

References