virus logo Threat Signal Report

TBK DVRs Botnet Attack

What is the Attack?

Threat Actors are actively exploiting CVE-2024-3721, a command injection vulnerability in TBK DVR devices (Digital Video Recorders). This flaw allows unauthenticated remote code execution (RCE) via crafted HTTP requests to the endpoint. The compromised devices are being conscripted into a botnet capable of conducting DDoS attacks.

If successfully exploited, there is a potential for significant disruption from DDoS attacks, lateral movement, or further malware delivery.

FortiGuard sensors observes critical level of network telemetry related to the attack attempts targeting this vulnerability (CVE-2024-3721). In the past FortiGuard has release an Outbreak Alert for a different TBK vulnerability (CVE-2018-9995) exploited to spread Remote Access Trojan called HiatusRAT. TBK DVR Authentication Bypass Attack | Outbreak Alert | FortiGuard Labs.

What is the recommended Mitigation?

Affected Devices Include:
TBK DVR-4104
TBK DVR-4216

Currently we are unaware of any vendor supplied patch or updates available for this issue. Immediate patching is recommended once available. Alternatively, we recommend isolating or replacing the TBK DVRs and Monitor for unusual traffic patterns or binary drops from DVRs.

What FortiGuard Coverage is available?

  • FortiGuard Labs has available IPS protection for CVE-2024-3721 which detects and blocks attack attempts targeting TBK DVR OS Command Injection. Intrusion Prevention | FortiGuard Labs

  • FortiGuard Labs has blocked all the known linked Indicators of Compromise (IOCs) including Mirai Botnet malware noted on the related campaigns.

  • Antimalware and Sandbox Service delivers protection against known malware and uses advanced behavioral analysis to detect and block unknown threats.
    ELF/Mirai.DDW!tr- Virus | FortiGuard Labs

  • The FortiGuard Incident Response team is available to assist with any suspected compromise.

description-logoOutbreak Alert

Threat Actors are actively exploiting CVE-2024-3721, a command injection vulnerability in TBK DVR devices (Digital Video Recorders). This flaw allows unauthenticated remote code execution (RCE) via crafted HTTP requests to the endpoint. The compromised devices are conscripted into a botnet capable of conducting DDoS attacks.

View the full Outbreak Alert Report

Additional Resources

FortiGuard Intrusion Prevention
SecureList Analysis
Outbreak Alert: TBK DVR Authentication Bypass Attack


Released Date Jun 10, 2025
Tags TBK DVRs Botnet Attack Threat Signal
CVE ID

Experienced a Breach? We're here to help

FortiGuard Incident Response Services
FortiGuard Incident Response Services
Outbreak Alert Outbreak Alert
About FortiGuard Threat Signal

Learn More »