轉發 台灣電腦網路危機處理暨協調中心 資安訊息警訊 TWCERTCC-200-202601-00000007

[內容說明]
【利凌｜監控主機 - OS Command Injection】( CVE-2026-0854，CVSS：8.8) 利凌開發之部分監控主機型號存在OS Command Injection漏洞，已通過身分鑑別之遠端攻擊者可注入任意作業系統指令並於設備上執行。

[影響平台]
DH032：v1.0.28.3858(含)以前版本
DVR708, DVR716：v1.3.4(含)以前版本
DVR804, DVR808, DVR816：v1.3.4(含)以前版本
NVR100L, NVR200L, NVR400L, NVR1400L, NVR2400L：v1.1.66(含)以前版本
NVR3216, NVR3416, NVR3416r, NVR3816：v2.0.74.3921(含)以前版本
NVR5832, NVR5832S：v4.0.24.4043(含)以前版本
NVR5104E, NVR5208E, NVR5416E：v4.0.24.4078(含)以前版本

[建議措施]
請參考官方公告(M00175)進行韌體版本更新

[參考資料]
1. https://www.twcert.org.tw/tw/cp-132-10624-6599c-1.html
2. https://www.meritlilin.com/security/indexch.html#Anchor

Forwarded from Taiwan Computer Network Crisis Management and Coordination Center: Cybersecurity Alert TWCERTCC-200-202601-00000007

[Content Description]
【LILIN | Monitoring Host - OS Command Injection】(CVE-2026-0854, CVSS: 8.8) Some monitoring host models developed by LILIN contain an OS Command Injection vulnerability. An authenticated remote attacker can inject arbitrary operating system commands and execute them on the device.

[Affected Platforms]
DH032: Versions prior to v1.0.28.3858 (inclusive)
DVR708, DVR716: Versions prior to v1.3.4 (inclusive)
DVR804, DVR808, DVR816: Versions prior to v1.3.4 (inclusive)
NVR100L, NVR200L, NVR400L, NVR1400L, NVR2400L: Versions prior to v1.1.66 (inclusive)
NVR3216, NVR3416, NVR3416r, NVR3816: Versions prior to v2.0.74.3921 (inclusive)
NVR5832, NVR5832S: Versions prior to v4.0.24.4043 (inclusive)
NVR5104E, NVR5208E, NVR5416E: Versions prior to v4.0.24.4078

[Recommended Action]
Please refer to the official announcement (M00175) for firmware updates.

[References]
1. https://www.twcert.org.tw/tw/cp-132-10624-6599c-1.html
2. https://www.meritlilin.com/security/indexch.html#Anchor