TP-Link has released a critical security advisory addressing two high-severity command injection vulnerabilities affecting its VIGI network video recorder (NVR) systems, potentially allowing attackers to execute arbitrary commands on affected devices.
The vulnerabilities, designated as CVE-2025-7723 and CVE-2025-7724, impact two specific models: the VIGI NVR1104H-4P V1 and VIGI NVR2016H-16MP V2.
Both vulnerabilities carry high CVSS v4.0 scores of 8.5 and 8.7, respectively, indicating significant security risks for organizations using these surveillance systems.
Critical Security Flaws Discovered
The security flaws represent both authenticated and unauthenticated OS command injection vulnerabilities.
CVE-2025-7723 affects systems with a CVSS score of 8.5, while CVE-2025-7724 poses an even greater threat with a score of 8.7.
The higher score for CVE-2025-7724 reflects its unauthenticated nature, meaning attackers don’t need valid credentials to exploit the vulnerability.
According to TP-Link’s security advisory, updated on July 22, 2025, these vulnerabilities could enable malicious actors to execute arbitrary commands on the device’s underlying operating system.
This level of access could potentially compromise entire surveillance networks and expose sensitive security footage or system configurations.
Affected Systems and Solutions
The VIGI NVR1104H-4P V1 systems running firmware versions before 1.1.5 Build 250518 are vulnerable to both exploits.
Similarly, VIGI NVR2016H-16MP V2 devices with firmware versions before 1.3.1 Build 250407 face the same security risks.
TP-Link has already released patched firmware versions to address these vulnerabilities.
Users of the NVR1104H-4P V1 should upgrade to firmware version 1.1.5 Build 250518, while NVR2016H-16MP V2 users need to install version 1.3.1 Build 250407.
Immediate Action Required
The company strongly recommends that users take immediate action to protect their systems. Organizations should download and install the latest firmware updates as soon as possible.
Additionally, TP-Link advises users to carefully review their device configurations after the firmware upgrade to ensure all security settings remain properly configured.
The updated firmware packages are available through TP-Link’s official support channels, with direct download links provided in the security advisory for both affected models.
Industry Impact
This security disclosure highlights ongoing challenges in IoT and surveillance device security.
Network video recorders are critical components of modern security infrastructure, making these vulnerabilities particularly concerning for businesses and organizations relying on VIGI systems for surveillance operations.
TP-Link has emphasized that users who fail to implement the recommended updates will remain vulnerable to potential attacks, with the company disclaiming responsibility for consequences that could have been prevented through proper patch management.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The vulnerabilities, designated as CVE-2025-7723 and CVE-2025-7724, impact two specific models: the VIGI NVR1104H-4P V1 and VIGI NVR2016H-16MP V2.){kind=link}