CVE-2025-34130 is a high-severity vulnerability affecting Merit LILIN Digital Video Recorder (DVR) devices running firmware versions prior to 2.0b60_20200207. The vulnerability arises from missing authentication controls on a critical function accessible via the /z/zbin/net_html.cgi endpoint. Specifically, this flaw allows unauthenticated attackers to perform arbitrary file reads on the device, including sensitive configuration files such as /zconf/service.xml. Access to these configuration files can expose critical information about the device setup and credentials, which attackers can leverage to conduct further attacks, including command injection. The vulnerability is categorized under CWE-306 (Missing Authentication for Critical Function) and CWE-200 (Information Exposure). The CVSS 4.0 base score of 8.7 reflects the vulnerability's ease of exploitation (no authentication or user interaction required), network attack vector, and high impact on confidentiality. Although no official patches or firmware updates are currently linked, the vulnerability has been exploited in the wild by botnets such as FBot and Moobot, indicating active threat actor interest and real-world exploitation scenarios. This vulnerability poses a significant risk to the confidentiality and integrity of DVR devices, potentially allowing attackers to gain unauthorized access and control over surveillance infrastructure.

For European organizations, especially those relying on Merit LILIN DVR devices for security and surveillance, this vulnerability presents a substantial risk. Compromise of DVR devices can lead to unauthorized disclosure of sensitive video feeds, configuration data, and credentials, undermining physical security measures. Attackers could use the exposed configuration files to escalate privileges or execute arbitrary commands, potentially gaining persistent access or pivoting within the network. This could impact critical infrastructure, corporate facilities, and public safety systems that depend on these DVRs. The exploitation by botnets also raises concerns about these devices being conscripted into distributed denial-of-service (DDoS) attacks or other malicious campaigns, further amplifying the threat. The lack of authentication and ease of exploitation mean that even low-skilled attackers can leverage this vulnerability, increasing the likelihood of widespread compromise. European organizations in sectors such as transportation, government, healthcare, and manufacturing that deploy these DVRs are particularly at risk.

1. Immediate firmware upgrade: Organizations should verify the firmware version of their Merit LILIN DVR devices and upgrade to version 2.0b60_20200207 or later if available, as this version addresses the vulnerability. 2. Network segmentation: Isolate DVR devices on dedicated network segments with strict access controls to limit exposure to untrusted networks and reduce attack surface. 3. Access control: Implement firewall rules to restrict access to the /z/zbin/net_html.cgi endpoint only to trusted management hosts or networks. 4. Monitor network traffic: Deploy intrusion detection/prevention systems (IDS/IPS) to detect anomalous requests targeting the vulnerable endpoint or unusual outbound traffic indicative of compromise. 5. Credential management: Change default credentials and ensure strong authentication mechanisms are in place for device management interfaces. 6. Incident response readiness: Prepare to detect and respond to potential exploitation attempts, including botnet activity, by maintaining updated threat intelligence and logs. 7. Vendor engagement: Engage with Merit LILIN support for official patches and security advisories and request timely updates if not yet provided. 8. Disable unused services: Where possible, disable or restrict access to unnecessary services or endpoints on the DVR devices to minimize attack vectors.