Skip to main content
CVE Vulnerability Database

CVE-2025-7724: VIGI NVR Command Injection RCE Flaw

CVE-2025-7724 is an unauthenticated OS command injection vulnerability in VIGI NVR1104H-4P V1 and VIGI NVR2016H-16MP V2 devices that allows remote code execution. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-7724 Overview

CVE-2025-7724 is an unauthenticated operating system (OS) command injection vulnerability affecting TP-Link VIGI Network Video Recorder (NVR) devices. The flaw allows attackers on the adjacent network to execute arbitrary OS commands without authentication. Affected models include the VIGI NVR1104H-4P V1 before firmware version 1.1.5 Build 250518 and the VIGI NVR2016H-16MP V2 before firmware version 1.3.1 Build 250407. The vulnerability maps to CWE-78, Improper Neutralization of Special Elements used in an OS Command.

Critical Impact

Adjacent network attackers can execute arbitrary OS commands on affected VIGI NVR devices without credentials, leading to full device compromise, surveillance footage manipulation, and pivoting into the internal network.

Affected Products

  • TP-Link VIGI NVR1104H-4P V1 firmware prior to 1.1.5 Build 250518
  • TP-Link VIGI NVR2016H-16MP V2 firmware prior to 1.3.1 Build 250407
  • Surveillance deployments using these NVR models as recording and management endpoints

Discovery Timeline

  • 2025-07-22 - CVE-2025-7724 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7724

Vulnerability Analysis

The vulnerability is an unauthenticated OS command injection flaw in the VIGI NVR firmware. An attacker reachable on the adjacent network can send crafted input that is passed to a system shell without proper neutralization of shell metacharacters. Because authentication is not required, exploitation requires only network adjacency, such as access to the same local area network (LAN) segment as the device.

Successful exploitation grants the attacker arbitrary command execution in the context of the NVR service, typically running with elevated privileges on the embedded Linux platform. This compromises the confidentiality, integrity, and availability of the device and the video data it manages.

Root Cause

The root cause is improper neutralization of special elements in user-supplied input that is incorporated into OS commands ([CWE-78]). The firmware concatenates untrusted input into shell command strings rather than using safe APIs such as parameterized execution, allowing metacharacters like ;, |, &, and backticks to break out of the intended command context.

Attack Vector

The attack vector is adjacent network (AV:A), meaning the attacker must reside on the same logical network as the NVR, for example the same VLAN, Wi-Fi segment, or local broadcast domain. No user interaction or authentication is required. Attackers commonly reach this condition through compromised IoT devices, rogue endpoints, or unsegmented surveillance VLANs.

No public proof-of-concept or exploit code has been published for CVE-2025-7724 at the time of writing. See the TP-Link FAQ Support Document for vendor-provided technical context.

Detection Methods for CVE-2025-7724

Indicators of Compromise

  • Unexpected outbound connections from VIGI NVR management interfaces to unknown external hosts
  • New or modified processes on the NVR spawned by the web management daemon, such as shells or download utilities like wget or curl
  • Configuration changes, new administrative accounts, or disabled logging on the NVR appliance
  • Anomalous HTTP or HTTPS requests to the NVR web interface containing shell metacharacters such as ;, |, &, or $()

Detection Strategies

  • Inspect network traffic destined to NVR management ports for payloads containing shell metacharacters or command syntax
  • Baseline expected child processes of the NVR web service and alert on deviations such as shell or networking utilities
  • Correlate authentication events with subsequent administrative changes to identify unauthenticated configuration modifications

Monitoring Recommendations

  • Forward NVR syslog, firewall logs, and IDS alerts to a centralized analytics platform for correlation
  • Monitor the surveillance VLAN for lateral movement attempts originating from NVR IP addresses
  • Track firmware versions across the VIGI fleet and alert on devices running versions prior to the fixed builds

How to Mitigate CVE-2025-7724

Immediate Actions Required

  • Upgrade VIGI NVR1104H-4P V1 to firmware 1.1.5 Build 250518 or later using the TP-Link Vigi NVR1104H Firmware page
  • Upgrade VIGI NVR2016H-16MP V2 to firmware 1.3.1 Build 250407 or later using the TP-Link Vigi NVR2016H Firmware page
  • Inventory all TP-Link VIGI NVR devices and verify firmware versions against the fixed builds
  • Restrict management interface access to a dedicated administrative network segment

Patch Information

TP-Link has released fixed firmware addressing CVE-2025-7724. Administrators should apply 1.1.5 Build 250518 for the VIGI NVR1104H-4P V1 and 1.3.1 Build 250407 for the VIGI NVR2016H-16MP V2. Refer to the TP-Link FAQ Support Document for upgrade procedures and release notes.

Workarounds

  • Place affected NVR devices on an isolated VLAN with strict access control lists limiting reachability to authorized management hosts
  • Block adjacent-network access to the NVR web management interface from untrusted endpoints, including guest Wi-Fi and IoT segments
  • Disable remote management features that are not strictly required for operations
  • Monitor adjacent-network traffic to the NVR for anomalous command-like payloads until firmware upgrades are completed
bash
# Example: restrict NVR management access on a Linux gateway using iptables
# Allow only the administrative subnet 10.10.50.0/24 to reach the NVR at 10.10.20.15
iptables -A FORWARD -s 10.10.50.0/24 -d 10.10.20.15 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d 10.10.20.15 -p tcp --dport 443 -j DROP
iptables -A FORWARD -d 10.10.20.15 -p tcp --dport 80  -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.