MVPower DVR Shell Unauthenticated Command Execution

This Metasploit module exploits an unauthenticated remote command execution vulnerability in MVPower digital video recorders. The ‘shell’ file on the web interface executes arbitrary operating system commands in the query string. This Metasploit module was tested successfully on a MVPower model TV-7104HE with firmware version 1.8.4 115215B9 (Build 2014/11/17). The TV-7108HE model is also reportedly affected, but untested.

Leave a Reply