CVE-2026-0854
8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
Certain DVR/NVR models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Merit LILIN | DH032 | 0 <= 1.0.28.3858 | affected |
| Merit LILIN | DVR708 | 0 <= 1.3.4 | affected |
| Merit LILIN | DVR716 | 0 <= 1.3.4 | affected |
| Merit LILIN | DVR804 | 0 <= 1.3.4 | affected |
| Merit LILIN | DVR808 | 0 <= 1.3.4 | affected |
| Merit LILIN | DVR816 | 0 <= 1.3.4 | affected |
| Merit LILIN | NVR100L | 0 <= 1.1.66 | affected |
| Merit LILIN | NVR200L | 0 <= 1.1.66 | affected |
| Merit LILIN | NVR400L | 0 <= 1.1.66 | affected |
| Merit LILIN | NVR1400L | 0 <= 1.1.66 | affected |
| Merit LILIN | NVR2400L | 0 <= 1.1.66 | affected |
| Merit LILIN | NVR3216 | 0 <= 2.0.74.3921 | affected |
| Merit LILIN | NVR3416 | 0 <= 2.0.74.3921 | affected |
| Merit LILIN | NVR3416r | 0 <= 2.0.74.3921 | affected |
| Merit LILIN | NVR3816 | 0 <= 2.0.74.3921 | affected |
| Merit LILIN | NVR5832 | 0 <= 4.0.24.4043 | affected |
| Merit LILIN | NVR5832S | 0 <= 4.0.24.4043 | affected |
| Merit LILIN | NVR5104E | 0 <= 4.0.24.4078 | affected |
| Merit LILIN | NVR5208E | 0 <= 4.0.24.4078 | affected |
| Merit LILIN | NVR5416E | 0 <= 4.0.24.4078 | affected |
Weaknesses
- CWE-78: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://www.twcert.org.tw/tw/cp-132-10624-6599c-1.html
- https://www.twcert.org.tw/en/cp-139-10623-4f523-2.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.