CVE-2026-0854 is an OS command injection vulnerability identified in the Merit LILIN DH032 series of digital video recorder (DVR) and network video recorder (NVR) devices. This vulnerability arises from improper neutralization of special characters in OS commands (CWE-78), allowing an authenticated remote attacker to inject arbitrary commands that the underlying operating system executes. The flaw exists in the device's firmware or software handling of user input that is passed to OS command interfaces without adequate sanitization or validation. Exploitation requires the attacker to have valid credentials (authenticated access) but does not require any user interaction beyond that. The vulnerability is remotely exploitable over the network, increasing its risk profile. The CVSS v4.0 base score of 8.7 reflects the ease of exploitation (low attack complexity), no need for user interaction, and the high impact on confidentiality, integrity, and availability of the affected device. Successful exploitation could allow attackers to take full control of the device, manipulate surveillance footage, disrupt monitoring services, or pivot into internal networks. Currently, no public patches or known exploits are reported, but the vulnerability is publicly disclosed and should be treated as critical. The Merit LILIN DH032 devices are widely used in security and surveillance deployments, making this vulnerability particularly concerning for organizations relying on these devices for physical security monitoring.

For European organizations, the impact of this vulnerability is significant due to the widespread use of Merit LILIN DH032 devices in critical infrastructure, corporate security, and public safety surveillance systems. Exploitation could lead to unauthorized control over surveillance devices, enabling attackers to disable or manipulate video feeds, potentially masking malicious activities or physical intrusions. This compromises the confidentiality and integrity of surveillance data and undermines the availability of security monitoring services. Additionally, compromised devices could serve as footholds for lateral movement within enterprise networks, leading to broader cybersecurity incidents. The disruption of surveillance systems could have regulatory and compliance implications, especially in sectors like transportation, government facilities, and financial institutions. Given the high CVSS score and the nature of the vulnerability, the threat could result in severe operational and reputational damage if exploited.

1. Immediately restrict network access to Merit LILIN DH032 devices by implementing strict firewall rules and network segmentation to limit exposure to trusted management networks only. 2. Enforce strong authentication mechanisms and regularly rotate credentials to reduce the risk of unauthorized access. 3. Monitor device logs and network traffic for unusual command execution patterns or unauthorized access attempts. 4. Apply vendor-provided patches or firmware updates as soon as they become available; if no patches exist yet, contact Merit LILIN support for guidance or temporary workarounds. 5. Disable any unnecessary services or interfaces on the devices to reduce the attack surface. 6. Consider deploying intrusion detection/prevention systems (IDS/IPS) tuned to detect command injection attempts targeting these devices. 7. Conduct regular security audits and penetration testing focused on surveillance infrastructure to identify and remediate similar vulnerabilities proactively. 8. Educate system administrators and security personnel about the risks associated with this vulnerability and the importance of timely patching and access control.