Executive Summary
In April 2026, cybersecurity researchers identified a new variant of the Mirai botnet, named Nexcorium, actively exploiting CVE-2024-3721—a command injection vulnerability in TBK DVR-4104 and DVR-4216 devices. By sending specially crafted HTTP POST requests to the vulnerable endpoint, attackers gained remote control over these devices, integrating them into a botnet used for large-scale Distributed Denial-of-Service (DDoS) attacks. The campaign, attributed to a group known as 'Nexus Team,' highlights the persistent threat posed by unpatched IoT devices in critical environments. (fortinet.com)
This incident underscores the ongoing risks associated with IoT vulnerabilities, particularly in devices that are often overlooked in security protocols. The exploitation of CVE-2024-3721 by Nexcorium serves as a stark reminder of the importance of timely patching and robust security measures to protect against evolving botnet threats.
Why This Matters Now
The exploitation of CVE-2024-3721 by the Nexcorium botnet highlights the urgent need for organizations to address vulnerabilities in IoT devices. As attackers continue to target unpatched systems, ensuring timely updates and implementing robust security measures are critical to prevent such devices from being co-opted into malicious botnets.
Attack Path Analysis
Threat actors exploited a command injection vulnerability (CVE-2024-3721) in TBK DVR devices to gain initial access. Upon successful exploitation, they escalated privileges to execute arbitrary commands on the compromised devices. The attackers then moved laterally by deploying the Nexcorium malware, which includes exploits for other vulnerabilities like CVE-2017-17215, targeting additional devices within the network. The compromised devices established connections to external command-and-control servers, awaiting instructions for further malicious activities. While specific data exfiltration activities were not detailed, the attackers maintained control over the devices, potentially allowing for data theft. The primary impact was the integration of these devices into a botnet used to launch distributed denial-of-service (DDoS) attacks.
Kill Chain Progression
Initial Compromise
Description
Exploitation of CVE-2024-3721 in TBK DVR devices allowed attackers to execute arbitrary commands remotely.
Related CVEs
CVE-2024-3721
CVSS 6.3A command injection vulnerability in TBK DVR-4104 and DVR-4216 devices allows remote attackers to execute arbitrary commands via the /device.rsp endpoint.
Affected Products:
TBK DVR-4104 – up to 20240412
TBK DVR-4216 – up to 20240412
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter: Unix Shell
Create or Modify System Process: Unix Service
Application Layer Protocol: Web Protocols
Network Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Security/Investigations
DVR surveillance systems compromised via CVE-2024-3721 exploitation enable botnet recruitment, requiring enhanced egress filtering and zero trust segmentation for critical infrastructure protection.
Telecommunications
End-of-life TP-Link routers targeted by Mirai variants create DDoS amplification risks, necessitating encrypted traffic monitoring and multicloud visibility for network infrastructure resilience.
Government Administration
Critical infrastructure vulnerabilities in surveillance and networking equipment expose government facilities to botnet recruitment, demanding immediate IPS deployment and anomaly detection capabilities.
Banking/Mortgage
Financial institutions using compromised DVR systems face compliance violations under PCI DSS requirements, requiring kubernetes security and threat detection for regulatory adherence.
Sources
- Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnethttps://thehackernews.com/2026/04/mirai-variant-nexcorium-exploits-cve.htmlVerified
- CVE-2024-3721 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2024-3721Verified
- TBK DVR Devices Command Injection (CVE-2024-3721)https://advisories.checkpoint.com/defense/advisories/public/2024/cpai-2024-0254.htmlVerified
- Hundreds of DVRs and routers are being hijacked to form another major botnethttps://www.techradar.com/pro/security/hundreds-of-dvrs-and-routers-are-being-hijacked-to-form-another-major-botnetVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlling egress paths.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While initial exploitation may still occur, the attacker's ability to leverage compromised devices for further malicious activities would likely be constrained.
Control: Zero Trust Segmentation
Mitigation: Even if attackers gain initial access, their ability to escalate privileges and gain full control over devices would likely be constrained.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally and compromise additional devices would likely be constrained.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command-and-control channels would likely be constrained.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate data from the network would likely be constrained.
The attacker's ability to integrate compromised devices into a botnet for DDoS attacks would likely be constrained.
Impact at a Glance
Affected Business Functions
- Surveillance Monitoring
- Security Operations
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of surveillance footage and system configurations.
Recommended Actions
Key Takeaways & Next Steps
- • Implement inline intrusion prevention systems (IPS) to detect and block exploitation attempts of known vulnerabilities like CVE-2024-3721.
- • Deploy zero trust segmentation to limit lateral movement within the network, restricting unauthorized access between devices.
- • Enhance east-west traffic security to monitor and control internal communications, preventing malware propagation.
- • Establish robust egress security and policy enforcement to detect and block unauthorized outbound connections to command-and-control servers.
- • Maintain multicloud visibility and control to monitor for anomalous activities across all cloud environments, ensuring comprehensive threat detection.
