CVE-2026-0854 is an OS command injection vulnerability identified in certain models of Merit LILIN's DH032 digital video recorder (DVR) and network video recorder (NVR) devices. The vulnerability stems from improper neutralization of special elements used in operating system commands (classified under CWE-78), allowing an authenticated remote attacker to inject arbitrary OS commands. This injection flaw enables attackers to execute commands on the underlying operating system with the privileges of the vulnerable service, potentially leading to full device compromise. The vulnerability requires the attacker to be authenticated, but no user interaction is needed beyond that. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no attack or user interaction required (AT:N, UI:N), and privileges required are low (PR:L). The impact on confidentiality, integrity, and availability is rated high (VC:H, VI:H, VA:H), meaning attackers can exfiltrate sensitive data, alter device operation, or disrupt service. The affected product, Merit LILIN DH032, is commonly used in surveillance and security monitoring environments. No patches or exploit code are currently publicly available, and no known exploits have been reported in the wild as of the publication date. However, the high severity score and potential impact necessitate immediate attention from affected organizations. The vulnerability's exploitation could allow attackers to pivot into broader network environments or disable critical surveillance infrastructure.

For European organizations, the impact of CVE-2026-0854 could be substantial, especially for those relying on Merit LILIN DH032 devices for physical security and surveillance. Successful exploitation could lead to unauthorized access to video feeds, tampering with recorded footage, or complete device takeover, undermining security monitoring capabilities. This could affect critical infrastructure sectors such as transportation, energy, government facilities, and corporate environments where surveillance is integral to safety and compliance. The compromise of these devices could also serve as a foothold for lateral movement within enterprise networks, increasing the risk of broader cyberattacks. Additionally, disruption or manipulation of surveillance data could have legal and regulatory consequences under European data protection laws, including GDPR, if personal data is exposed or integrity is compromised. The high severity and network accessibility of the vulnerability increase the urgency for European entities to address this risk promptly.

1. Immediate mitigation should focus on restricting network access to the affected Merit LILIN DH032 devices by implementing network segmentation and firewall rules to limit exposure to trusted management networks only. 2. Enforce strong, unique authentication credentials on all devices to reduce the risk of unauthorized access, as the vulnerability requires authentication. 3. Monitor device logs and network traffic for unusual command execution patterns or unauthorized access attempts indicative of exploitation attempts. 4. If possible, disable unnecessary services or interfaces on the devices to reduce the attack surface. 5. Engage with Merit LILIN support or vendors to obtain patches or firmware updates addressing this vulnerability as soon as they become available. 6. Consider deploying intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics to detect OS command injection attempts targeting these devices. 7. Maintain an inventory of all deployed Merit LILIN devices and verify their firmware versions to identify and prioritize vulnerable units. 8. Develop and test incident response plans specific to DVR/NVR compromise scenarios to enable rapid containment and recovery.