PoC Released for Unauthenticated RCE Vulnerability in TP-Link VIGI NVR4032H Network Video Recorder

A critical security vulnerability has been discovered in TP-Link’s VIGI NVR4032H network video recorder, a device widely used in professional surveillance systems. This flaw could allow remote attackers to gain complete control of the NVR without authentication, putting sensitive video footage and the entire surveillance network at risk.

Image: TP-Link

Unveiling the Flaw: Unauthenticated Remote Command Execution

The vulnerability, identified by independent security researcher n4nika in collaboration with SSD Secure Disclosure, stems from a buffer overflow issue in the “onvif_discovery” binary. This binary, which listens on UDP port 5001, is susceptible to exploitation by attackers who can craft malicious packets to trigger the buffer overflow.

By successfully exploiting this flaw, attackers can execute arbitrary code on the NVR with root privileges without requiring authentication, effectively taking complete control of the device. This could lead to a range of malicious activities, including:

• Video Surveillance Compromise: Attackers could access, manipulate, or delete sensitive surveillance footage, disrupting investigations or compromising privacy.
• Data Exfiltration: Attackers could steal confidential information stored on the NVR, such as access credentials, network configurations, or personal data.
• Network Intrusion: Attackers could use the compromised NVR as a foothold to penetrate deeper into the network, potentially targeting other connected devices or systems.
• Denial of Service (DoS): Attackers could disrupt the NVR’s operation, rendering the surveillance system unusable.

Impacted Devices and Firmware Versions

The vulnerability affects VIGI NVR4032H devices running firmware version VIGI NVR4032H(UN)_V1_1.0.1 Build 230628. Additionally, several other TP-Link VIGI NVR models sharing the same codebase are also likely vulnerable.

Public Disclosure and Proof-of-Concept

The SSD Secure Disclosure analysts have made the details of the vulnerability public, including step-by-step exploitation instructions and a proof-of-concept (PoC) exploit. This transparency aims to prompt quick action from affected users and administrators to mitigate the risk.

Mitigation and Patching

TP-Link has released a firmware update, VIGI NVR4032H(UN)_V1_1.0.5 Build 240424, to address this critical vulnerability. All users of affected devices are strongly urged to update their firmware immediately.