Critical Vulnerability Cripples Visual Tools DVR Allowing RCE Attacks

Researchers have found a serious vulnerability in the Visual Tools DVR that threatens user security. As observed, exploiting this vulnerability allows remote code execution attacks. To make things worse, the bug goes under attack before any patch.

Visual Tools DVR Vulnerability

Researchers from the Italian security firm Swascan have discovered a critical vulnerability in the Visual Tools DVR. Visual Tools is a dedicated video recording and surveillance product from the tech firm AX Solutions.

The vulnerability in question exists in the DVR firmware VX16 version 4.2.28.0. The researchers caught the bug while pentesting a Visual Tools client.

Briefly, they noticed a command injection flaw that allowed an attacker to execute arbitrary codes via unauthenticated remote access on the target Linux-based system. As stated in their advisory,

In Visual Tools DVR VX16 4.2.28, an unauthenticated attacker can achieve remote command execution via shell metacharacters in the cgi-bin/slogin/login.py User-Agent HTTP header. It is possible to launch the attack remotely without any form authentication.

This vulnerability, CVE-2021-42071, has attained a critical severity rating with a CVSs score of 9.8. The researchers have also shared the PoC exploit in their advisory.

Right after this discovery in June 2020, Swascan reached out to the vendors to report the matter. However, even after a year, the bug remains unpatched, forcing the researchers for public disclosure.

Unpatched Bug Exploited In The Wild

While the silence from the vendors regarding this vulnerability was terrible, the bug has regrettably caught the attention of threat actors.

Recently, Juniper Networks shared details about FreakOut botnet in their post. As discovered, the threat actors are exploiting the unpatched vulnerability to target users with malware Necro (or N3Cr0m0rPh , Freakout, Python.IRCBot). This malware transforms the infected devices into bots for Monero mining by deploying XMRig.

Since the bug remains unpatched until the time of writing, users should remain careful about their DVRs. As possible mitigation, Swascan recommends deploying the devices online behind a VPN connection.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients