TP-Link NVR Vulnerabilities Allows Attackers to Execute Arbitrary Commands

TP-Link has disclosed critical security vulnerabilities in two of its VIGI network video recorder (NVR) models that could allow attackers to execute arbitrary commands on affected devices.

The vulnerabilities, designated as CVE-2025-7723 and CVE-2025-7724, affect the VIGI NVR1104H-4P V1 and VIGI NVR2016H-16MP V2 systems, posing significant risks to network security infrastructure.

Both vulnerabilities have been assigned high CVSS scores, with the unauthenticated variant receiving a particularly concerning 8.7 rating, indicating the severity of the potential security breach.

The security vulnerabilities center around OS command injection vulnerabilities that exist in both authenticated and unauthenticated contexts within the affected VIGI NVR systems.

CVE-2025-7723, which requires high-level privileges for exploitation, has been assigned a CVSS v4.0 score of 8.5, while CVE-2025-7724, the more dangerous unauthenticated variant, received a score of 8.7.

The vulnerabilities specifically impact VIGI NVR1104H-4P V1 devices running firmware versions prior to 1.1.5 Build 250518 and VIGI NVR2016H-16MP V2 systems with firmware versions before 1.3.1 Build 250407.

Command injection vulnerabilities represent a particularly serious class of security vulnerabilities because they allow attackers to bypass normal application controls and directly interact with the underlying operating system.

In the context of network video recorders, which often serve as critical components in security surveillance systems, such vulnerabilities could provide attackers with unprecedented access to sensitive infrastructure.

The presence of both authenticated and unauthenticated variants means that attackers could potentially exploit these systems regardless of whether they have legitimate credentials.

TP-Link NVR Vulnerability

The unauthenticated nature of CVE-2025-7724 makes it particularly concerning for network administrators and security professionals.

This vulnerability allows attackers to execute arbitrary commands without requiring any form of authentication, meaning that any individual with network access to the affected devices could potentially compromise them.

The CVSS vector string reveals that the attack can be launched from an adjacent network with low complexity and requires no user interaction, making it relatively straightforward for malicious actors to exploit.

The authenticated variant, CVE-2025-7724, while requiring high-level privileges, still presents significant risks in environments where credential theft or insider threats are concerns.

Both vulnerabilities affect the confidentiality, integrity, and availability of the victimized systems, potentially allowing attackers to access recorded surveillance footage, manipulate recording settings, or completely disable the security monitoring capabilities of the affected devices.

The adjacent network attack vector suggests that attackers would need to be on the same network segment as the vulnerable devices, which could include scenarios involving compromised internal networks or direct physical access to network infrastructure.

Immediate Firmware Updates

TP-Link has released firmware updates to address both vulnerabilities, with version 1.1.5 Build 250518 available for the VIGI NVR1104H-4P V1 and version 1.3.1 Build 250407 for the VIGI NVR2016H-16MP V2.

The company strongly recommends that all users with affected devices immediately download and install these firmware updates to mitigate the security risks.

Additionally, TP-Link advises users to carefully review their device configurations following the firmware upgrade to ensure that all settings remain properly configured and aligned with their security requirements.

The timing of this disclosure, with the advisory updated on July 22, 2025, suggests that these vulnerabilities may have been recently discovered or that the patches have only recently been made available.

Organizations using these VIGI NVR systems should prioritize the application of these updates, particularly given the high severity scores and the potential for unauthenticated exploitation.

Network administrators should also consider implementing additional network segmentation and monitoring measures to detect any potential exploitation attempts while firmware updates are being deployed across their infrastructure.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.