Mirai Variant Nexcorium Exploits CVE‑2024‑3721 to Hijack TBK DVRs, Fueling Large‑Scale DDoS Botnet
What It Is — A newly‑observed Mirai‑family botnet variant, dubbed Nexcorium, is leveraging a command‑injection flaw (CVE‑2024‑3721) in TBK digital video recorders (DVRs) to gain root access and enlist the devices in a distributed denial‑of‑service (DDoS) network. The same campaign also targets end‑of‑life TP‑Link Wi‑Fi routers, expanding the botnet’s size.
Exploitability — The vulnerability (CVSS 6.3) is publicly known and actively exploited in the wild. Proof‑of‑concept exploits have been shared on underground forums, and both Fortinet FortiGuard Labs and Palo Alto Networks Unit 42 have observed large‑scale scanning and successful compromises.
Affected Products —
- TBK DVR models (various firmware versions)
- TP‑Link consumer Wi‑Fi routers that have reached end‑of‑life (no longer receive patches)
TPRM Impact — Organizations that embed TBK DVRs in surveillance, retail, or industrial monitoring systems may experience service disruption, reputational damage, and indirect exposure if the compromised devices are used to launch DDoS attacks against third‑party services. The reliance on EoL routers further widens the attack surface for supply‑chain partners.
Recommended Actions —
- Immediate Patch – Apply any available firmware updates for TBK DVRs; if none exist, isolate the devices on a segmented network.
- EoL Asset Retirement – De‑commission or replace TP‑Link routers that are no longer supported.
- Network Segmentation – Place all IoT/DVR assets behind firewalls with strict inbound/outbound ACLs; block inbound traffic on ports used by the command‑injection vector.
- Threat Hunting – Deploy IDS/IPS signatures from FortiGuard and Unit 42 to detect scanning activity and botnet traffic.
- Supply‑Chain Review – Re‑evaluate third‑party risk assessments for vendors supplying TBK DVRs or similar IoT hardware, ensuring they have a robust vulnerability‑management program.
Source: The Hacker News