CVE-2016-20016

MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE, contain a web shell that is accessible via a /shell URI. A remote unauthenticated attacker can execute arbitrary operating system commands as root. This vulnerability has also been referred to as the "JAWS webserver RCE" because of the easily identifying HTTP response server field. Other firmware versions, at least from 2014 through 2019, can be affected. This was exploited in the wild in 2017 through 2022.

CVSS v3.0 9.8 CRITICAL

9.8^/10

CVSS v3.0 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.exploit-db.com/exploits/41471	Exploit Third Party Advisory VDB Entry
https://www.pentestpartners.com/security-blog/pwning-cctv-cameras/	Exploit Third Party Advisory
https://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/	Third Party Advisory

Advertisement

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:mvpower:tv-7104he_firmware:1.8.4_115215b9:*:*:*:*:*:*:*

cpe:2.3:h:mvpower:tv-7104he:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:mvpower:tv7108he_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:mvpower:tv7108he:-:*:*:*:*:*:*:*

Information

Published : 2022-10-18 22:15

Updated : 2022-10-21 09:52

NVD link : CVE-2016-20016

Mitre link : CVE-2016-20016

JSON object : View

CWE

NVD-CWE-noinfo

Advertisement

Products Affected

mvpower

tv-7104he
tv-7104he_firmware
tv7108he_firmware
tv7108he

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://www.exploit-db.com/exploits/41471", "name": "https://www.exploit-db.com/exploits/41471", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "refsource": "MISC"}, {"url": "https://www.pentestpartners.com/security-blog/pwning-cctv-cameras/", "name": "https://www.pentestpartners.com/security-blog/pwning-cctv-cameras/", "tags": ["Exploit", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/", "name": "https://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/", "tags": ["Third Party Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE, contain a web shell that is accessible via a /shell URI. A remote unauthenticated attacker can execute arbitrary operating system commands as root. This vulnerability has also been referred to as the \"JAWS webserver RCE\" because of the easily identifying HTTP response server field. Other firmware versions, at least from 2014 through 2019, can be affected. This was exploited in the wild in 2017 through 2022."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2016-20016", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}}, "publishedDate": "2022-10-19T05:15Z", "configurations": {"nodes": [{"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:mvpower:tv-7104he_firmware:1.8.4_115215b9:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:mvpower:tv-7104he:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:mvpower:tv7108he_firmware:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:mvpower:tv7108he:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-10-21T16:52Z"}