TP-Link Network Video Recorder Vulnerability Enables Arbitrary Command Execution
TP-Link has disclosed critical security vulnerabilities affecting two of its VIGI Network Video Recorder models, potentially allowing attackers to execute arbitrary commands on the underlying operating system.
The vulnerabilities, identified as CVE-2025-7723 and CVE-2025-7724, impact the VIGI NVR1104H-4P V1 and VIGI NVR2016H-16MP V2 devices, with both receiving high CVSS scores of 8.5 and 8.7 respectively.
Vulnerability Details and Attack Vector
The security flaws manifest as both authenticated and unauthenticated OS command injection vulnerabilities, representing a significant security risk for organizations utilizing these network video recording systems.
CVE-2025-7723 affects authenticated scenarios with a CVSS v4.0 score of 8.5, while CVE-2025-7724 targets unauthenticated access points with an even higher score of 8.7.
The unauthenticated nature of CVE-2025-7724 makes it particularly concerning, as attackers could potentially exploit the vulnerability without requiring valid credentials.
Both vulnerabilities are characterized by adjacent network access requirements, low attack complexity, and the potential for high impact on confidentiality, integrity, and availability.
The attack vectors suggest that malicious actors within the same network segment could leverage these flaws to gain unauthorized control over affected devices.
| CVE ID | Product Model | Affected Version | Fixed Version | CVSS Score |
| CVE-2025-7723 | VIGI NVR1104H-4P V1 , VIGI NVR2016H-16MP V2 | < 1.1.5 Build 250518 , < 1.3.1 Build 250407 | 1.1.5 Build 250518 , 1.3.1 Build 250407 | 8.5 (High) |
| CVE-2025-7724 | VIGI NVR1104H-4P V1 , VIGI NVR2016H-16MP V2 | < 1.1.5 Build 250518 , < 1.3.1 Build 250407 | 1.1.5 Build 250518 , 1.3.1 Build 250407 | 8.7 (High) |
The ability to execute arbitrary commands on network video recorders poses severe security risks, particularly in enterprise environments where these devices often handle sensitive surveillance data.
Successful exploitation could lead to unauthorized access to recorded footage, device manipulation, or use of compromised systems as pivot points for lateral network movement.
TP-Link has released firmware updates addressing both vulnerabilities and strongly recommends immediate deployment of the patches.
Users must update VIGI NVR1104H-4P V1 devices to firmware version 1.1.5 Build 250518, while VIGI NVR2016H-16MP V2 units require version 1.3.1 Build 250407.
Organizations operating affected TP-Link VIGI NVR systems should prioritize immediate firmware updates and conduct thorough security assessments following the upgrade process.
TP-Link emphasizes that failure to implement recommended security measures could result in continued vulnerability exposure, with the company disclaiming responsibility for consequences arising from inadequate response to this advisory.
The disclosure underscores the ongoing importance of maintaining current firmware versions and implementing robust network security measures for IoT and surveillance equipment.
Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now
Source link
