Skip to main content
Emerging ThreatsMalware & Ransomware

Mirai Botnet Exploits DVR Flaw in TBK Devices

Dark surveillance room with glitchy screens, dusty equipment, and a cracked DVR device with exposed wires.

What happens when a long-standing class of device-level vulnerability meets a Mirai-derived campaign? "FortiGuard Labs has identified a Mirai-based Nexcorium campaign actively exploiting CVE-2024-3721 in TBK DVR devices," the researchers reported — a concise sentence that raises immediate operational and strategic questions for device owners, network defenders and those who set rules for cyber risk management.

What the researchers reported

FortiGuard Labs has publicly identified an active campaign that uses a Mirai-based malware family, labeled Nexcorium, to exploit a specific vulnerability: CVE-2024-3721. The campaign targets TBK-brand digital video recorder (DVR) devices. FortiGuard Labs’ statement frames the activity as exploitation of a command injection flaw to deploy a Mirai-based botnet.

Background and technical framing

The core facts in FortiGuard Labs’ advisory are few but stark: attackers are exploiting a command injection vulnerability (CVE-2024-3721) in TBK DVR devices, and the exploit activity is linked to a Mirai-based malware campaign designated Nexcorium. That combination — a device-level command injection and malware adapted from Mirai — is the mechanism by which adversaries are reportedly assembling a Mirai-based botnet.

Why this matters

  • Direct impact on owners of affected hardware: TBK DVR devices are identified as the exploitation target. Owners of those devices are therefore in the scope of the active campaign identified by FortiGuard Labs.
  • Evidence of exploitation in the wild: FortiGuard Labs characterizes the activity as an active campaign, signaling that this is not purely theoretical or limited to proof-of-concept demonstrations.
  • Common vulnerability enumeration: The activity is tied to a CVE identifier (CVE-2024-3721), which provides a reference point for tracking, mitigation and cross-organizational communication.

Perspectives: technologists, policymakers, users and adversaries

Technologists and incident responders will see three immediate takeaways in FortiGuard Labs’ finding: an identified CVE associated with a command injection flaw, a named class of affected devices (TBK DVRs), and active exploitation by a Mirai-derived campaign called Nexcorium. Each element carries operational implications for detection, containment and disclosure workflows.

For policymakers and risk managers, the advisory underscores that enumerated vulnerabilities tied to specific products can transition quickly from disclosure to exploitation. The linkage to a named campaign and a CVE offers a clear focal point for cross-industry coordination, information sharing and any required advisories to affected communities.

Users of TBK DVR devices are the most immediate stakeholders called out by FortiGuard Labs’ report. The notification that attackers are actively exploiting CVE-2024-3721 signals a direct, present-day risk to those devices.

From an adversary’s perspective, the reuse and adaptation of Mirai-derived code — in this case under the Nexcorium label — illustrates a behavioral pattern: leveraging known malware lineages and identifiable vulnerabilities against accessible, networked devices.

Conclusion

FortiGuard Labs’ concise finding — that a Mirai-based Nexcorium campaign is actively exploiting CVE-2024-3721 in TBK DVR devices — provides a narrow but actionable datapoint. It names the vulnerability, the affected product class, and the malware lineage. The core question left for defenders and policymakers is simple and urgent: with an exploit in the wild tied to a specific CVE and device family, what steps will device owners and institutions take to identify affected assets and reduce exposure?

Original story