New Mirai botnet behind surge in TVT DVR exploitation www.bleepingcomputer.com/news/secu…

A significant spike in exploitation attempts targeting TVT NVMS9000 DVRs has been detected, peaking on April 3, 2025, with over 2,500 unique IPs scanning for vulnerable devices.

The attacks attempt to exploit an information disclosure vulnerability first disclosed by an SSD Advisory in May 2024, which published the full exploitation details on retrieving admin credentials in cleartext using a single TCP payload.

The exploitation results in an authentication bypass, allowing attackers to execute administrative commands on the device without restriction.

According to the threat monitoring platform GreyNoise, which detected the exploitation activity, it’s likely tied to a Mirai-based malware that seeks to incorporate the devices into its botnet.

Typically, infected devices are then used to proxy malicious traffic, cryptomining, or launch distributed denial of service (DDoS) attacks.