CVE-2025-6561 (CVSS 9.8): Hunt Electronic DVR Vulnerability Exposes Admin Credentials in Plaintext
Ddos 
Security researchers have uncovered a critical vulnerabilityβCVE-2025-6561, carrying a CVSS score of 9.8βthat affects certain hybrid DVR models from Hunt Electronic. This flaw puts sensitive system information at risk, particularly the plaintext administrator credentials, and could be exploited by unauthenticated remote attackers.
The vulnerability impacts the following Hunt Electronic Hybrid DVR models
- HBF-09KD
- HBF-16NK
All firmware versions up to and including V3.1.67_1786 BB11115 are affected.
According to the advisory, these DVR units suffer from an Exposure of Sensitive Information issue:
“Certain hybrid DVR models (HBF-09KD and HBF-16NK) from Hunt Electronic have an Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to directly access a system configuration file and obtain plaintext administrator credentials.”
This means attackers don’t even need to log inβthey can simply exploit the flaw to pull configuration files from the device remotely and extract the admin credentials with ease. This level of access opens the door for full device takeover, manipulation of surveillance feeds, or lateral movement into larger networks.
Users are strongly urged to update their firmware to secure their systems. Hunt Electronic has issued a patch (V3.1.70_1806 BB50604) to address this critical flaw.
Neglecting to apply this update leaves DVR systems dangerously exposed to unauthorized control and surveillance compromise.
Related Posts:
- GitHub admitted to record some Plaintext Passwords in Its Internal Logs
- Hitachi Energy’s Asset Suite Hit by Multiple Critical Vulnerabilities
- Ghostscript Flaw Leaks Plaintext Passwords in Encrypted PDFs
- CVE-2024-7339: DVR Vulnerability Exposes Over 400,000 Devices to Hackers
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
