CVE-2026-0854

Summary

Certain DVR/NVR models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device.

Affected Software

VendorProductVersion RangeStatus
Merit LILINDH0320 <= 1.0.28.3858affected
Merit LILINDVR7080 <= 1.3.4affected
Merit LILINDVR7160 <= 1.3.4affected
Merit LILINDVR8040 <= 1.3.4affected
Merit LILINDVR8080 <= 1.3.4affected
Merit LILINDVR8160 <= 1.3.4affected
Merit LILINNVR100L0 <= 1.1.66affected
Merit LILINNVR200L0 <= 1.1.66affected
Merit LILINNVR400L0 <= 1.1.66affected
Merit LILINNVR1400L0 <= 1.1.66affected
Merit LILINNVR2400L0 <= 1.1.66affected
Merit LILINNVR32160 <= 2.0.74.3921affected
Merit LILINNVR34160 <= 2.0.74.3921affected
Merit LILINNVR3416r0 <= 2.0.74.3921affected
Merit LILINNVR38160 <= 2.0.74.3921affected
Merit LILINNVR58320 <= 4.0.24.4043affected
Merit LILINNVR5832S0 <= 4.0.24.4043affected
Merit LILINNVR5104E0 <= 4.0.24.4078affected
Merit LILINNVR5208E0 <= 4.0.24.4078affected
Merit LILINNVR5416E0 <= 4.0.24.4078affected

Weaknesses

  • CWE-78: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References