CVE-2025-34130 is a critical security vulnerability identified in Merit LILIN Digital Video Recorder (DVR) firmware versions prior to 2.0b60_20200207. The vulnerability exists due to missing authentication (CWE-306) on the /z/zbin/net_html.cgi endpoint, which allows unauthenticated remote attackers to read arbitrary files on the device. Specifically, attackers can access sensitive configuration files such as /zconf/service.xml, which contain critical system and service information. This unauthorized file read capability can be chained with other vulnerabilities to perform more severe attacks, including command injection, potentially leading to full device compromise. The vulnerability is remotely exploitable without requiring any privileges or user interaction, increasing its risk profile. The CVSS 4.0 base score is 8.7 (high severity), reflecting the ease of exploitation and the high impact on confidentiality. Although no official patches are currently linked, the vulnerability has been actively exploited in the wild by botnets like FBot and Moobot, which use it to expand their foothold and conduct further malicious activities. The flaw affects all firmware versions prior to the specified fixed version, indicating a broad attack surface among deployed LILIN DVR devices worldwide.

The impact of CVE-2025-34130 is significant for organizations deploying Merit LILIN DVR devices, especially those used in critical infrastructure, surveillance, and security monitoring. Successful exploitation leads to unauthorized disclosure of sensitive configuration data, which can reveal network settings, credentials, and system configurations. This information leakage facilitates subsequent attacks such as command injection, enabling attackers to execute arbitrary commands, potentially taking full control of the DVR device. Compromised DVRs can be used as entry points into internal networks, undermining overall organizational security. Additionally, attackers can incorporate these devices into botnets (as observed with FBot and Moobot), amplifying distributed denial-of-service (DDoS) attacks or other malicious campaigns. The vulnerability's remote, unauthenticated nature and lack of user interaction requirements make it highly exploitable, increasing the risk of widespread compromise and operational disruption.

1. Network Segmentation: Isolate LILIN DVR devices on dedicated network segments with strict access controls to limit exposure to untrusted networks. 2. Access Control: Restrict access to the /z/zbin/net_html.cgi endpoint using firewall rules or network ACLs to trusted management hosts only. 3. Monitoring and Detection: Deploy network intrusion detection systems (NIDS) and endpoint monitoring to detect unusual access patterns or exploitation attempts targeting the vulnerable endpoint. 4. Firmware Updates: Monitor Merit LILIN advisories closely and apply firmware updates promptly once a patch for this vulnerability is released. 5. Credential Management: Change default and known credentials on all DVR devices to strong, unique passwords to reduce risk if configuration files are accessed. 6. Incident Response: Prepare to isolate and remediate compromised devices quickly, including reimaging or replacing affected DVRs if exploitation is detected. 7. Vendor Engagement: Engage with Merit LILIN support to obtain timelines for official patches and request interim mitigation guidance. 8. Disable Unused Services: Where possible, disable unnecessary services or endpoints on the DVR devices to reduce the attack surface.