Vulnerability of DVR devices of LILIN company


There are several zero-day vulnerabilities in digital video recorders (DVRs) for surveillance systems produced by the Taiwanese company LILIN, which have been exploited by botnet operators to infect and exploit vulnerable devices.
The findings come from the Chinese security team Qihoo 360’s Netlab, which states that since at least August 30, 2019, various attack groups have used LILIN DVR zero-day vulnerabilities to spread the Chalubo, FBot, and Moobot botnets.
The flaw itself includes a chain of vulnerabilities that use the encrypted login credentials of root/icatch99 and report/8Jg0SR8K50, potentially allowing an attacker to edit the DVRs configuration file and execute backdoor commands. when FTP or NTP server configurations are synchronized.


According to the information obtained, the Chalubo botnet team was the first to use the NTPUpdate vulnerability to exploit LILIN DVRs last August. Subsequently, the FBot botnet was found exploiting the FTP/NTP flaw in early January. Two weeks later, Moobot began to spread through an FTP zero-day vulnerability in LILIN products.
Vulnerable products:


·         DHD204A

·         DHD208

·         DHD208A

·         DHD216

·         DHD216A


·         DHD516A

·         DHD508A

·         DHD504A

·         DHD316A

·         DHD308A

·         DHD304A

·         DHD204


Threats of using this security weakness:

  • DDoS attacks on other equipment connected to the Internet
  • Open the Telnet service by running an HTML CGI command





It is recommended that LILIN users check and update their device frameworks in time and also apply a strong login password for these types of devices. It is also recommended that users set another port in their DVR settings.
Narrated by:



Leave a Reply

Your email address will not be published. Required fields are marked *