In a worrying trend for cybersecurity, TVT DVRs have emerged as the latest targets for the notorious Mirai botnet. Here’s what you need to know about this escalating threat.
The Surge in Exploitation Attempts
Cybersecurity researchers at GreyNoise have identified a significant spike in exploitation attempts targeting TVT NVMS9000 DVRs. On April 3, 2025, the activity peaked with over 2,500 unique IP addresses scanning for vulnerable devices. This surge is linked to a Mirai-based malware that exploits an information disclosure vulnerability first disclosed in May 2024.
The Vulnerability
The vulnerability in question allows threat actors to bypass authentication and execute administrative commands on the DVRs without any restrictions. This exploit involves a single TCP payload that retrieves admin credentials in cleartext, granting attackers unrestricted access to the devices. The affected DVRs are those running firmware versions prior to 1.3.4, although a patch has been available since the vulnerability was reported.
Mirai Botnet: A Historical Threat
The Mirai botnet is no stranger to the cybersecurity landscape. Known for its ability to turn networked devices into remotely controlled bots, Mirai has been behind some of the most significant Distributed Denial of Service (DDoS) attacks in recent history. It continuously scans the internet for vulnerable IoT devices, using a list of common default usernames and passwords to infect them.
Current Activity
In the past month, GreyNoise has logged 6,600 distinct IP addresses associated with this malicious activity, all of which have been confirmed to be non-spoofable and malicious. The majority of these attacks originate from Taiwan, Japan, and South Korea, while the targeted devices are primarily located in the U.S., the U.K., and Germany.
Impact and Practical Consequences
Infected devices are often used for nefarious purposes such as proxying malicious traffic, cryptomining, or launching DDoS attacks. Users of these DVRs may notice signs of infection, including outbound traffic spikes, sluggish performance, frequent crashes or reboots, high CPU/memory usage even when idle, and altered configurations.
Mitigation Steps
To protect your TVT DVRs, it is crucial to upgrade to firmware version 1.3.4 or later. If upgrading is not possible, restricting public internet access to DVR ports and blocking incoming requests from the listed IP addresses by GreyNoise can help mitigate the risk. In case of infection, disconnect the DVR from the network, perform a factory reset, update to the latest firmware, and then isolate it from the main network.
Broader Context: Mirai’s Ongoing Threat
Mirai’s activities are not limited to DVRs. Recently, the botnet has also targeted industrial routers with zero-day exploits and other IoT devices such as smart home devices and business phone systems. This underscores the need for constant vigilance and proactive security measures across all internet-connected devices.
User Experience and Security
The targeting of DVRs by Mirai highlights the importance of keeping all IoT devices up to date with the latest security patches. Users should ensure that default passwords are changed and that remote access is disabled if not necessary. Segmenting networks and adding firewalls can also enhance security.
Conclusion
As the threat landscape continues to evolve, it’s clear that no device is immune to the reach of sophisticated botnets like Mirai. Staying informed and taking proactive security steps is crucial in protecting your devices and networks from these ongoing threats.