CVE-2025-34130 is a critical security vulnerability identified in Merit LILIN Digital Video Recorder (DVR) firmware versions prior to 2.0b60_20200207. The vulnerability exists due to missing authentication controls on a critical function accessible via the /z/zbin/net_html.cgi endpoint. This endpoint allows unauthenticated remote attackers to arbitrarily read files on the device filesystem, including sensitive configuration files such as /zconf/service.xml. The exposure of these configuration files can reveal credentials, network settings, or other sensitive parameters that facilitate subsequent attacks, including command injection vulnerabilities. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) and CWE-200 (Information Exposure). The CVSS v4.0 base score is 8.7, indicating a high severity with network attack vector, no required privileges or user interaction, and high confidentiality impact. Although no official patches have been linked, the vulnerability has been exploited in the wild by botnets like FBot and Moobot, which use it to compromise devices for malicious purposes such as DDoS attacks or spreading malware. The flaw affects all firmware versions prior to 2.0b60_20200207, suggesting a broad impact on deployed devices. The lack of authentication on this critical endpoint represents a significant security design flaw in the affected DVR firmware.

The impact of CVE-2025-34130 is significant for organizations using Merit LILIN DVR devices, especially those deployed in security-sensitive environments such as surveillance for critical infrastructure, government facilities, and enterprises. Successful exploitation allows attackers to read arbitrary files without authentication, leading to exposure of sensitive configuration data including credentials and network information. This can enable attackers to escalate privileges, perform command injection, and potentially gain full control over the DVR device. Compromised DVRs can be leveraged as entry points into internal networks, undermining overall security posture. Additionally, infected devices may be conscripted into botnets like FBot and Moobot, contributing to large-scale distributed denial-of-service (DDoS) attacks or other malicious campaigns. The vulnerability threatens confidentiality, integrity, and availability of the affected systems and can result in operational disruption, data breaches, and reputational damage.

1. Immediately restrict network access to affected Merit LILIN DVR devices by placing them behind firewalls or network segmentation to limit exposure to untrusted networks, especially the internet. 2. Monitor network traffic and device logs for unusual activity indicative of exploitation attempts or botnet communication. 3. Disable or restrict access to the /z/zbin/net_html.cgi endpoint if possible through device configuration or network controls. 4. Coordinate with Merit LILIN support or vendors to obtain and apply firmware updates or patches as soon as they become available. 5. Implement strong network-level authentication and VPN access controls for remote management of DVR devices. 6. Conduct regular security assessments and vulnerability scans on DVR devices to detect outdated firmware or configuration weaknesses. 7. Consider replacing legacy or unsupported devices that cannot be patched or secured adequately. 8. Educate security teams about this vulnerability and incorporate detection signatures into intrusion detection/prevention systems (IDS/IPS).