CVE-2025-34130

UNKNOWN 0.0

LILIN DVR Arbitrary File Read via net_html.cgi

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

An unauthenticated arbitrary file read exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 via the /z/zbin/net_html.cgi endpoint. This vulnerability allows attackers to read sensitive configuration files, such as /zconf/service.xml, which can then be used to facilitate further attacks including command injection. The vulnerability has been exploited in the wild in conjunction with other issues by botnets like FBot and Moobot.

CWE	CWE-306 CWE-200
Vendor	merit lilin
Product	dvr firmware
Published	Jul 16, 2025
Last Updated	Mar 23, 2026

Stay Ahead of the Next One

Get instant alerts for merit lilin dvr firmware

Be the first to know when new unknown vulnerabilities affecting merit lilin dvr firmware are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Merit LILIN / DVR Firmware

* < 2.0b60_20200207

References

NVD ↗ CVE.org ↗ EPSS Data ↗

blog.netlab.360.com: https://blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day/ meritlilin.com: https://www.meritlilin.com/assets/uploads/support/file/M00158-TW.pdf vulncheck.com: https://www.vulncheck.com/advisories/lilin-dvr-multiple-vulnerabilities

Credits

360 Netlab