CVE-2026-0854
Published: 12 January 2026
Description
Certain DVR/NVR models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device.
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection by requiring validation of all information inputs to block malicious command strings in Merit LILIN DVR/NVR devices.
Mitigates the specific CVE-2026-0854 flaw through timely flaw remediation, including application of patches detailed in TWCERT/CC advisories.
Limits damage from injected OS commands by enforcing least privilege on authenticated low-privilege remote users accessing vulnerable DVR/NVR models.
Security SummaryAI
CVE-2026-0854 is an OS Command Injection vulnerability (CWE-78) present in certain DVR/NVR models developed by Merit LILIN. Published on 2026-01-12, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.
The vulnerability enables authenticated remote attackers possessing low privileges to inject arbitrary OS commands, which are then executed on the affected device. Exploitation requires network access and is straightforward with low complexity and no user interaction, allowing attackers to gain substantial control over the DVR/NVR systems.
Advisories detailing mitigations and patches are available from TWCERT/CC at https://www.twcert.org.tw/en/cp-139-10623-4f523-2.html and https://www.twcert.org.tw/tw/cp-132-10624-6599c-1.html.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in a network-accessible DVR/NVR device enables exploitation of public-facing applications (T1190) or remote services (T1210) for arbitrary Unix shell command execution (T1059.004).