Home / Threat Intelligence bulletins / Threat actors target critical TBK digital video recording system vulnerability

Target Industry

TBK Vision products are deployed in the following industry sectors:

– Financial

– Government

– Retail.


Threat actors are actively exploiting an unpatched bypass vulnerability in TBK digital video recording (DVR) systems, tracked as CVE-2018-9995 (CVSSv3 Score: 9.8 – Critical). As per recent reporting, there have been more than 50,000 attempts to exploit vulnerable TBK DVR systems.

A Proof-of-Concept (PoC) exploit code has been released to target a vulnerability in the affected servers. The exploit uses a maliciously crafted HTTP cookie, with vulnerable systems responding with administrator credentials in the form of JSON data.


Successful exploitation of CVE-2018-9995 allows threat actors to bypass authentication on the target system and obtain administrative privileges, ultimately leading access camera video feeds.

Affected Products

– TBK DVR4104 and TBK DVR4216 systems

Containment, Mitigations & Remediations

At the time of writing, a security update has not been released for this vulnerability. It is therefore strongly recommended that users replace vulnerable systems with supported models or isolate them from the internet to prevent unauthorised access.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are currently available.

Threat Landscape

Due to the fact that DVR systems are typically located on internal networks, this makes them an attractive target to threat actors who can exploit them for the purposes of initial access and data theft. Reporting has indicated that there has been a recent increase in attempted exploits of TBK DVR devices.

TBK has a significant portion of the surveillance camera market share. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on. As a result, the TBK products have become a prime target. Due to the fact that these camera models have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within these devices for the purposes of data extraction.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies


TA0004 – Privilege Escalation

Further Information

Proof-of-Concept Exploit Code

Fortinet Report


Intelligence Terminology Yardstick