CVE-2025-7724 is a critical unauthenticated OS command injection vulnerability affecting TP-Link Systems Inc.'s VIGI NVR1104H-4P V1 and VIGI NVR2016H-16MP V2 network video recorders (NVRs). Specifically, versions prior to 1.1.5 Build 250518 for the VIGI NVR1104H-4P V1 and prior to 1.3.1 Build 250407 for the VIGI NVR2016H-16MP V2 are vulnerable. The vulnerability is classified under CWE-78, which involves improper neutralization of special elements used in OS commands, allowing an attacker to inject arbitrary OS commands. The CVSS v4.0 score is 9.3 (critical), reflecting the high impact and ease of exploitation. The attack vector is network-based (AV:N), requires no authentication (PR:N), and no user interaction (UI:N), making it highly accessible to remote attackers. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system with the privileges of the vulnerable service, potentially leading to full system compromise, data exfiltration, disruption of video surveillance services, or pivoting within the network. No known exploits are currently reported in the wild, but the severity and ease of exploitation make it a significant threat. The lack of available patches at the time of publication increases the urgency for mitigation. The vulnerability affects embedded devices used for video surveillance, which are often deployed in critical infrastructure, corporate environments, and public safety contexts.

For European organizations, this vulnerability poses a substantial risk, especially for sectors relying on physical security and surveillance such as government facilities, transportation hubs, utilities, and large enterprises. Compromise of these NVR devices could lead to unauthorized access to surveillance footage, manipulation or deletion of video evidence, and disruption of security monitoring operations. This could undermine physical security, facilitate further cyber intrusions, or enable espionage. Additionally, attackers gaining control over these devices could use them as footholds to move laterally within corporate or critical infrastructure networks. Given the unauthenticated nature of the exploit, attackers can remotely target exposed devices without prior access, increasing the risk of widespread exploitation. The impact on confidentiality, integrity, and availability of security monitoring systems is high, potentially leading to regulatory compliance issues under GDPR and other data protection laws if personal data is compromised or surveillance systems are disrupted.

European organizations should immediately inventory their deployed TP-Link VIGI NVR devices to identify affected versions. Until official patches are available, organizations should implement network-level mitigations such as isolating NVR devices on segmented VLANs with strict access controls, restricting management interfaces to trusted IP addresses, and employing firewall rules to block unauthorized inbound traffic to these devices. Monitoring network traffic for unusual command injection patterns or unexpected outbound connections from NVR devices can help detect exploitation attempts. Organizations should also disable any unnecessary services or remote management features on these devices to reduce the attack surface. Once patches are released, prompt application is critical. Additionally, organizations should consider deploying intrusion detection/prevention systems (IDS/IPS) with signatures for this vulnerability and conduct regular security assessments of their physical security infrastructure. Vendor engagement to obtain timely updates and guidance is recommended.