GreyNoise has detected a significant rise in exploitation attempts targeting TVT NVMS9000 DVRs, a line of digital video recorders primarily used in security and surveillance systems.
The activity, which surged starting March 31, 2025, and peaked on April 3, revealed over 2,500 unique malicious IP addresses attempting to exploit an information disclosure vulnerability found in these devices.
Over the past 30 days, GreyNoise has identified more than 6,600 unique IPs targeting the flaw, confirming that all such IPs are malicious and non-spoofable.
Surge in Exploitation Attempts Against TVT NVMS9000 DVRs
This vulnerability allows attackers to gain administrative control over compromised systems, potentially transforming affected DVR units into tools for further malicious activity.
Manufactured by Shenzhen-based TVT Digital Technology Co., Ltd., NVMS9000 DVRs are deployed globally for video recording, storage, and management in security and surveillance setups.
A company report states that TVT has served customers across over 120 countries, underscoring the widespread impact of this security issue.
GreyNoise analysts have further noted a connection between this exploit activity and the notorious Mirai botnet, a malware known for targeting Internet of Things (IoT) devices.
Historical reports have frequently cited TVT NVMS9000 DVRs as vulnerable points for botnet recruitment efforts, including GreyNoise’s identification of Mirai activity targeting these devices as recently as early March 2025.
Global Scope and Distribution of Threat
Most of the malicious traffic originates from the Asia-Pacific (APAC) region, with Taiwan, Japan, and South Korea leading as the top source countries.
In the last 30 days, Taiwan accounts for 3,637 malicious IPs, Japan for 809 IPs, and South Korea for 542 IPs.
On the receiving end, systems in the United States (6,471 IPs), United Kingdom (5,738 IPs), and Germany (5,713 IPs) are the most targeted destinations for these exploitation attempts.
This geographic distribution suggests a concerted effort to compromise DVRs located in regions with dense deployments of security infrastructure, potentially to enlist them in further botnet campaigns or disrupt critical surveillance capabilities.
Organizations operating TVT NVMS9000 DVRs or similar systems must prioritize securing these devices to mitigate risks associated with this vulnerability.
GreyNoise recommends the immediate blocking of known malicious IPs attempting to exploit the flaw, which is accessible via their platform.
Additionally, applying vendor-released patches, restricting public internet access to DVR management interfaces, and monitoring network traffic for unusual scanning or exploitation activity are indispensable steps for reducing exposure.
Failure to implement these countermeasures could leave affected systems vulnerable to administrative takeover, data theft, and broader network compromise.
The exploitation attempts observed are part of a wider trend targeting IoT devices, reaffirming the need for robust perimeter defense and timely vulnerability remediation for organizations relying on connected surveillance equipment.
As the attack campaign associated with Mirai continues to evolve, proactive defensive measures will be crucial in curbing its expansion and safeguarding critical systems globally.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
