CVE-2024-14007 – This CVE describes an authentication bypass vul... (How to Fix)

Q: What is the severity of CVE-2024-14007?

CVE-2024-14007 has a CVSS score of N/A (Unknown). This CVE describes an authentication bypass vulnerability in TVT Digital's NVMS-9000 firmware used by many DVR/NVR/IP camera products. Unauthenticated attackers can send a single crafted TCP payload to the control port to execute privileged administrative queries, exposing sensitive information including administrator credentials in cleartext. This affects numerous white-labeled security camera and recording devices running vulnerable firmware versions.

📋 TL;DR

This CVE describes an authentication bypass vulnerability in TVT Digital's NVMS-9000 firmware used by many DVR/NVR/IP camera products. Unauthenticated attackers can send a single crafted TCP payload to the control port to execute privileged administrative queries, exposing sensitive information including administrator credentials in cleartext. This affects numerous white-labeled security camera and recording devices running vulnerable firmware versions.

💻 Affected Systems

Products:

TVT Digital NVMS-9000 firmware
Various white-labeled DVR/NVR/IP camera products using NVMS-9000 firmware

Versions: All versions prior to 1.3.4

Operating Systems: Embedded Linux systems on DVR/NVR devices

Default Config Vulnerable: ⚠️ Yes

Notes: The NVMS-9000 control protocol port (typically TCP 9000) is often exposed by default on affected devices.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to surveillance system takeover, credential harvesting across networks, lateral movement to other systems, and integration into botnets for DDoS attacks.

🟠

Likely Case

Credential theft enabling unauthorized access to surveillance systems, configuration data exposure, and device integration into IoT botnets like Mirai variants.

🟢

If Mitigated

Limited information disclosure if devices are behind firewalls with strict network segmentation, though credentials could still be exposed if accessed.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Active exploitation observed in the wild by Mirai variant botnets. Single TCP packet exploit requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.4

Vendor Advisory: https://ssd-disclosure.com/ssd-advisory-nvms9000-information-disclosure/

Restart Required: Yes

Instructions:

1. Identify affected devices. 2. Contact device manufacturer for firmware update. 3. Download firmware version 1.3.4 or later. 4. Backup device configuration. 5. Apply firmware update via device web interface. 6. Verify update completed successfully. 7. Change all administrator passwords.

🔧 Temporary Workarounds

Network Segmentation and Firewall Rules

all

Block external access to NVMS-9000 control port (typically TCP 9000) and restrict internal access to management networks only.

iptables -A INPUT -p tcp --dport 9000 -j DROP
netsh advfirewall firewall add rule name="Block NVMS-9000" dir=in action=block protocol=TCP localport=9000

🧯 If You Can't Patch

Isolate affected devices on separate VLAN with strict firewall rules blocking all unnecessary ports
Implement network monitoring for suspicious traffic to port 9000 and credential extraction attempts

🔍 How to Verify

Check if Vulnerable:

Test if TCP port 9000 responds to crafted authentication bypass payload (public PoC available). Check firmware version via device web interface.

Check Version:

Check via device web interface: Settings > System > Version Information

Verify Fix Applied:

Verify firmware version is 1.3.4 or later in device settings. Test that authentication bypass payload no longer works.

📡 Detection & Monitoring

Log Indicators:

Unexpected connections to port 9000
Multiple failed authentication attempts followed by successful queries
Administrative query commands from unauthorized IPs

Network Indicators:

TCP packets to port 9000 with specific payload patterns
Outbound connections to known C2 servers after exploitation
Unusual data exfiltration from DVR/NVR devices

SIEM Query:

source_port=9000 AND (payload_contains="queryBasicCfg" OR payload_contains="queryUserList" OR payload_contains="queryEmailCfg")

📊 Metadata

CVE ID: CVE-2024-14007

CVSS v3 Score: N/A (Unknown)

CWE: CWE-306

EPSS Score: 0.07% exploit probability (20.3th percentile)

Published: November 24, 2025

Last Updated: November 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-14007, you might also want to check these: