Two high-severity vulnerabilities in TP-Hyperlink VIGI community video recorder (NVR) programs may permit attackers to execute arbitrary instructions on affected units.
The safety flaws, recognized as CVE-2025-7723 and CVE-2025-7724, influence the VIGI NVR1104H-4P V1 and VIGI NVR2016H-16MP V2 fashions, posing important dangers to surveillance infrastructure safety.
Key Takeaways1. Two severe vulnerabilities let attackers run instructions on TP-Hyperlink VIGI NVR units.2. One flaw wants login; the opposite works with out credentials, posing a excessive danger.3. Replace the gadget firmware instantly to remain protected.
CVE-2025-7723: Authenticated Command Injection Vulnerability
CVE-2025-7723 is a high-severity working system (OS) command injection vulnerability, which permits attackers with authenticated entry to inject and execute arbitrary OS-level instructions on the affected units.
With a CVSS v4.0 rating of 8.5, this vulnerability is taken into account severe, because it grants attackers important management over the system as soon as they’ve logged in.
Exploiting this vulnerability may allow malicious actors to compromise surveillance footage, alter gadget settings, or use the community video recorders (NVRs) as footholds for additional assaults inside a corporation’s community.
CVE-2025-7724: Unauthenticated Command Injection Vulnerability
CVE-2025-7724 represents a fair increased danger because of the lack of authentication required for exploitation.
Assigned a CVSS v4.0 rating of 8.7, this vulnerability permits attackers to execute arbitrary instructions on affected VIGI NVR units while not having to log in or present credentials.
This makes the flaw particularly harmful as a result of it may be exploited remotely by anybody with adjoining community entry, requiring solely minimal effort or technical data.
Profitable exploitation can absolutely compromise the gadget’s confidentiality, integrity, and availability, permitting attackers to tamper with saved video information, disrupt operations, or launch additional assaults throughout the native community.
Particularly affected are VIGI NVR1104H-4P V1 units working firmware variations previous to 1.1.5 Construct 250518 and VIGI NVR2016H-16MP V2 programs with firmware variations earlier than 1.3.1 Construct 250407.
CVE IDTitleAffected VersionsCVSS 3.1 ScoreSeverityCVE-2025-7723Authenticated Command InjectionVIGI NVR1104H-4P V1 8.5HighCVE-2025-7724Unauthenticated Command InjectionVIGI NVR1104H-4P V1 8.7High
Mitigations
TP-Hyperlink has launched firmware updates to deal with each vulnerabilities and strongly recommends speedy deployment of those patches.
Customers should improve VIGI NVR1104H-4P V1 programs to firmware model 1.1.5 Construct 250518 and VIGI NVR2016H-16MP V2 units to model 1.3.1 Construct 250407.
The corporate emphasizes the significance of post-update configuration verification to make sure all safety settings stay correctly configured after the firmware improve course of.
Community directors ought to obtain the most recent firmware immediately from TP-Hyperlink’s official assist channels and implement extra community segmentation measures to restrict potential assault surfaces.
Enhance detection, cut back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Attempt ANY.RUN Now
