CVE-2025-36529 is a high-severity OS command injection vulnerability affecting multiple versions of TB-eye Ltd.'s XRN-410SN/TE network and AHD recorders, specifically firmware versions Ver2.47b_220119153805 and earlier. The vulnerability arises from improper neutralization of special elements used in OS commands, allowing an authenticated attacker with login privileges to execute arbitrary operating system commands on the affected device. This type of vulnerability typically occurs when user-supplied input is incorporated into system-level commands without adequate sanitization or validation, enabling attackers to inject malicious commands that the system executes with the privileges of the vulnerable application. The CVSS 3.1 base score of 7.2 reflects the vulnerability's characteristics: it can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), but requires high-level privileges (PR:H) and no user interaction (UI:N). The impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H), meaning successful exploitation could lead to full system compromise, data theft, manipulation, or denial of service. Although no known exploits are currently reported in the wild, the vulnerability's nature and severity make it a significant risk, especially in environments where these recorders are deployed. TB-eye's XRN-410SN/TE devices are used for video surveillance and recording, often in critical infrastructure, commercial, and industrial settings, making the potential impact of exploitation substantial. The lack of available patches at the time of disclosure further elevates the urgency for mitigation.

For European organizations, this vulnerability poses a serious threat, particularly to sectors relying on TB-eye's network and AHD recorders for security surveillance, such as transportation hubs, manufacturing plants, utilities, and public safety agencies. Exploitation could allow attackers to gain control over these devices, potentially leading to unauthorized access to video feeds, disruption of surveillance operations, or pivoting into broader network environments. This could compromise physical security, violate privacy regulations such as GDPR due to unauthorized data access, and disrupt critical services. Given the high integrity and availability impact, attackers might manipulate recorded footage or disable recording capabilities, undermining incident response and forensic investigations. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially if credential management is weak or default credentials are in use. The absence of known exploits in the wild suggests a window for proactive defense, but organizations should not delay remediation efforts.

European organizations should immediately audit their inventory to identify any TB-eye XRN-410SN/TE devices running vulnerable firmware versions (Ver2.47b_220119153805 or earlier). Until official patches are released, implement strict access controls including network segmentation to isolate these devices from general IT networks and restrict management interfaces to trusted administrators only. Enforce strong authentication policies, replacing default or weak passwords with complex, unique credentials and consider multi-factor authentication if supported. Monitor device logs and network traffic for unusual command execution patterns or unauthorized access attempts. Employ intrusion detection/prevention systems tailored to detect anomalies in device behavior. Where possible, disable unnecessary services or remote management features to reduce attack vectors. Maintain close communication with TB-eye Ltd. for firmware updates and apply patches promptly once available. Additionally, conduct regular security awareness training for personnel managing these devices to recognize and respond to potential compromise indicators.