ICS Labs Outbreak Alert -TBK DVRs Botnet Attack

ICSLabs has detected a significant increase in malicious network activity exploiting CVE-2024-3721, a critical unauthenticated command injection vulnerability affecting TBK DVR (Digital Video Recorder) devices. This flaw enables remote code execution without authentication through HTTP requests directed at the endpoint. Compromised devices are integrated into a botnet capable of carrying out distributed denial-of-service (DDoS) attacks.

Global threat intelligence repositories have identified 60,000 events, indicating widespread and well-coordinated attempts to exploit the vulnerability. Telemetry data shows that multiple botnet operators are leveraging this vulnerability to expand their infrastructures. Payloads and behavioral patterns associated with the Condi, Fodcha, Mirai, and Unstable botnet families have been observed, all known for targeting IoT devices and executing large-scale DDoS attacks.

Latest updates

• June 6, 2025: Securelist published an analysis of the latest wave of Mirai exploits targeting TBK DVR devices.

• June 10, 2025: FortiGuard released the Threat Signal Report.