GreyNoise has observed a significant spike — 3 times that of typical activity — in exploitation attempts against TVT NVMS9000 DVRs, peaking on April 3 at over 2,500 unique IPs. This information disclosure vulnerability can be used to gain administrative control over affected systems. 

GreyNoise has identified sufficient overlap with Mirai, indicating this activity is associated with the botnet. Countless reports in the past have named the TVT NVMS9000 DVR as a target for botnet enlistment, including a GreyNoise update reporting Mirai targeting in early March. 

Manufactured by TVT Digital Technology Co., Ltd., a Shenzhen-based company, NVMS9000 DVRs are reportedly used in security and surveillance systems. The DVRs are used for recording, storing, and managing video footage from security cameras. A company report mentions TVT has “served customers in more than 120 countries.” 

Most malicious IP addresses are targeting systems based in the United States, United Kingdom, and Germany. 

GreyNoise Observations 

On March 31, 2025, GreyNoise observed the beginning of a surge in unique IP addresses attempting to exploit the NVMS9000 DVR. The number of IPs peaked at over 2,500 on April 3, with over 6,600 IPs attempting to exploit the flaw in the past 30 days. 

GreyNoise can confirm that all IPs targeting the flaw in the past 30 days are malicious, and none of them are spoofable. 

BLOCK MALICIOUS IPS NOW

Attackers could potentially use this flaw to gain full control of the DVR. 

Source and Destination Countries

The majority of IPs in the past 30 days have originated from the Asia-Pacific (APAC) region, while the U.S., U.K., and Germany are the top target countries.  

Top Source Countries

  • Taiwan (3,637 IPs)
  • Japan (809 IPs)
  • South Korea (542 IPs). 

Top Destination Countries

  • United States (6,471 IPs)
  • United Kingdom (5,738 IPs)
  • Germany (5,713 IPs). 

Mitigations 

Organizations using the NVMS9000 DVR or similar systems should ensure that they are properly secured. Recommended actions include: 

  • Use GreyNoise to block known malicious IP addresses attempting to exploit this vulnerability. 
  • Apply all available patches.
  • Restrict public internet access to DVR interfaces. 
  • Monitor network traffic for signs of unusual scanning or exploitation attempts. 

Monitor attacker activity targeting this flaw and block malicious IPs. 

VIEW ACTIVITY & BLOCK MALICIOUS IPS NOW

Stay updated by visiting the GreyNoise tag for this activity. 

— — —

Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account