关键信息 漏洞标题: TVT NVMS-9000 < 1.3.4 Unauthenticated Administrative Queries & Information Disclosure 严重性: Critical CVSS: 8.7 CVSS V4 向量: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVE ID: CVE-2024-14007 CWE: CWE-306 Missing Authentication for Critical Function 产品受影响版本: NVMS-9000 firmware versions < 1.3.4, other white-labeled DVR/NVR/IPC products 发现日期: October 24, 2025 引用参考: - SSD Advisory - NVMS-9000 Information Disclosure - GreyNoise Observes 3X Surge in Exploitation Attempts Against TVT DVRs - Likely Mirai - Undercode Testing Blog - ELEVEN11 Botnet Mirai Variant Targeting NVMS-9000 Devices 发现团队: SSD Secure Disclosure 描述: - 网页描述了认证绕过漏洞,可以通过发送特定的TCP负载来执行特权的管理查询命令,导致信息泄露,包括管理员的用户名和密码等敏感信息。