TBK DVR command injection flaw actively exploited (CVE-2024-3721)
Vulnerability
Summary
Hide ▲
Show ▼
The CVE-2024-3721 command injection flaw in TBK DVR systems is being actively exploited to gain access and install Nexcorium malware. Attackers abuse crafted requests to trigger a downloader script that pulls malicious Linux binaries for multiple architectures. The result is remote compromise of exposed DVR devices and a foothold for a Mirai-based botnet.
Related Happenings
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
Campaign
First: 22.04.2026 23:04
Last: 22.04.2026 23:04
Sources 1
About this happening:
The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
CampaignAbout this happening: The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
Nexcorium Mirai botnet activity on TBK DVR devices
Malware Activity
First: 18.04.2026 09:01
Last: 18.04.2026 09:01
Sources 1
How related:
The activity targets CVE-2024-3721 in TBK DVR systems, enabling attackers to gain access and install a multi-architecture Mirai variant malware known as Nexcorium.
About this happening:
**Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...
Nexcorium Mirai botnet activity on TBK DVR devices
Malware ActivityHow related: The activity targets CVE-2024-3721 in TBK DVR systems, enabling attackers to gain access and install a multi-architecture Mirai variant malware known as Nexcorium.
About this happening: **Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...
BPFDoor Linux backdoor with HTTPS-hidden trigger packets
Malware Activity
First: 26.03.2026 19:40
Last: 26.03.2026 19:40
Sources 1
About this happening:
A newly disclosed **BPFDoor** variant is hiding trigger packets inside **HTTPS traffic** and using **ICMP** between infected hosts, making the **Linux** backdoor harder to detect...
BPFDoor Linux backdoor with HTTPS-hidden trigger packets
Malware ActivityAbout this happening: A newly disclosed **BPFDoor** variant is hiding trigger packets inside **HTTPS traffic** and using **ICMP** between infected hosts, making the **Linux** backdoor harder to detect...
BeyondTrust Remote Support and Privileged Remote Access CVE-2026-1731 active exploitation wave
Exploitation Wave
First: 12.02.2026 23:34
Last: 12.02.2026 23:34
Sources 1
About this happening:
**CVE-2026-1731** in **BeyondTrust Remote Support** and **Privileged Remote Access** is now seeing **first in-the-wild exploitation**, putting exposed appliances at risk of remote...
BeyondTrust Remote Support and Privileged Remote Access CVE-2026-1731 active exploitation wave
Exploitation WaveAbout this happening: **CVE-2026-1731** in **BeyondTrust Remote Support** and **Privileged Remote Access** is now seeing **first in-the-wild exploitation**, putting exposed appliances at risk of remote...
HPE OneView RondoDox exploitation wave (CVE-2025-37164)
Exploitation Wave
First: 16.01.2026 11:15
Last: 16.01.2026 11:15
Sources 1
About this happening:
**RondoDox** has driven a **large-scale exploitation wave** against **HPE OneView** by targeting **CVE-2025-37164**, with activity escalating into **automated attacks** that creat...
HPE OneView RondoDox exploitation wave (CVE-2025-37164)
Exploitation WaveAbout this happening: **RondoDox** has driven a **large-scale exploitation wave** against **HPE OneView** by targeting **CVE-2025-37164**, with activity escalating into **automated attacks** that creat...
Timeline
-
20.04.2026 16:01 2 articles · 1mo ago
FortiGuard Labs discloses CVE-2024-3721 exploitation in TBK DVR systems
Initial DisclosureFortiGuard Labs reports active exploitation of CVE-2024-3721 in TBK DVR systems to install the Mirai-based Nexcorium malware; crafted requests abuse vulnerable parameters to launch a downloader script that retrieves Linux binaries for ARM, MIPS and x86-64 systems, and attack traffic includes a custom HTTP header referencing "Nexus Team".
Show sources
- Attackers Exploit DVR Command Injection Flaw to Deploy Mirai-Based Botnet — www.infosecurity-magazine.com — 20.04.2026 16:01
- Attackers Exploit DVR Command Injection Flaw to Deploy Mirai-Based Botnet — www.infosecurity-magazine.com — 20.04.2026 16:01