virus logo Outbreak Alert

TBK DVRs Botnet Attack

Released: Jun 17, 2025

Download PDF »

TBK DVRs Botnet Attack Malware Attack Tags

High Severity

Watch Video

Subscribe

Widespread Exploitation Attempts Targeting IoT Device

Threat Actors are actively exploiting CVE-2024-3721, a command injection vulnerability in TBK DVR devices (Digital Video Recorders). This flaw allows unauthenticated remote code execution (RCE) via crafted HTTP requests to the endpoint. The compromised devices are conscripted into a botnet capable of conducting DDoS attacks. Learn More »

Common Vulnerabilities and Exposures


Background

FortiGuard Labs has detected a significant increase in malicious network activity exploiting CVE-2024-3721, a critical unauthenticated command injection vulnerability affecting TBK DVR devices. FortiGuard’s global network of intrusion prevention system (IPS) sensors recorded over 60,000 detection events, indicating widespread and coordinated exploitation attempts.

Our telemetry data reveals that multiple botnet operators are actively leveraging this vulnerability to expand their infrastructure. Notably, we have observed payloads and behaviors associated with Condi, Fodcha, Mirai, and Unstable botnet families- each known for targeting IoT devices to perform large-scale distributed denial-of-service (DDoS) attacks and establish persistent remote access. FortiGuard Labs continues to monitor this threat and will provide further intelligence as it becomes available.

FortiGuard has previously released an Outbreak Alert for a different TBK vulnerability (CVE-2018-9995) exploited to spread Remote Access Trojan called HiatusRAT.

Click here to analyze the

Real-Time Threat Map

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


Currently, we are unaware of any vendor supplied patch or updates available for this issue. Immediate patching is recommended once available. Alternatively, we recommend isolating or replacing the TBK DVRs and Monitor for unusual traffic patterns or binary drops from DVRs. Organizations with internet-facing DVR systems are strongly urged to take immediate mitigation steps, including: -Blocking known indicators of compromise (IoCs) linked to these botnets. -Applying firmware patches or security updates from the vendor, if and when available. -Restricting remote access to DVR interfaces and placing them behind firewalls or VPNs.

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT

  • Lure

  • Decoy VM

  • AV

  • AV (Pre-filter)

  • Behavior Detection

  • IPS

  • Botnet C&C

DETECT

  • IOC

  • Outbreak Detection

RESPOND

  • Automated Response

  • Assisted Response Services

RECOVER

  • NOC/SOC Training

  • End-User Training

IDENTIFY

  • Attack Surface Monitoring (Inside & Outside)

  • Attack Surface Hardening

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


References

Sources of information in support and relation to this Outbreak and vendor.


FortiGuard Threat Signal

Learn More »
Securelist Blog

Learn More »
About FortiGuard Outbreak Alerts

Learn More »