Nexcorium Botnet Exploits Unpatched TBK DVRs and TP-Link Routers in Large-Scale DDoS Campaign
A newly uncovered botnet campaign is exploiting a critical vulnerability in TBK digital video recorders (DVRs) to deploy Nexcorium, a Mirai-based malware designed for large-scale distributed denial-of-service (DDoS) attacks. The flaw, CVE-2024-3721 (CVSS 6.3), affects TBK’s DVR-4104 and DVR-4216 models, which remain widely deployed in small businesses, retail outlets, and surveillance systems due to outdated firmware and weak default credentials.
Attackers exploit the vulnerability by sending a crafted HTTP request to the endpoint /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___, enabling unauthenticated remote code execution (RCE). Once compromised, the device is enslaved into the botnet, with Nexcorium displaying the message “nexuscorp has taken control” upon execution a deliberate signature left by the threat actors.
Researchers at Fortinet’s FortiGuard Labs analyzed the campaign, confirming Nexcorium’s Mirai lineage, including an XOR-encoded configuration table, a watchdog module for persistence, and a DDoS attack module capable of flooding targets on command. The malware also targets end-of-life TP-Link Wi-Fi routers via CVE-2017-17215, expanding its reach by exploiting unpatched legacy hardware.
Nexcorium employs multiple persistence mechanisms, including self-replicating binaries, C2 (command-and-control) communication channels, and Telnet brute-force attacks to propagate across networks. It supports multiple CPU architectures, allowing it to infect a broader range of IoT devices. A watchdog process ensures the malware restarts if terminated, while FNV-1a hashing verifies binary integrity, restoring itself if altered.
The botnet’s dual-target strategy leveraging both TBK DVRs and TP-Link routers creates a geographically distributed attack infrastructure capable of generating massive, hard-to-block DDoS traffic. Since compromised devices operate behind real IP addresses, their traffic appears legitimate, complicating mitigation efforts.
With no patch available for CVE-2024-3721, security researchers recommend replacing affected TBK DVRs and vulnerable TP-Link routers. Network segmentation and disabling unnecessary remote access to DVR management interfaces are also advised to limit exposure.
Source: https://cybersecuritynews.com/hackers-use-cve-2024-3721-to-infect-tbk-dvrs/
TP-Link Systems Inc. cybersecurity rating report: https://www.rankiteo.com/company/tp-link
"id": "TP-1776673453",
"linkid": "tp-link",
"type": "Vulnerability",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Small businesses, retail '
'outlets, surveillance systems',
'industry': 'Surveillance / IoT',
'name': 'TBK',
'type': 'Manufacturer'},
{'industry': 'Networking / IoT',
'name': 'TP-Link',
'type': 'Manufacturer'}],
'attack_vector': ['Unauthenticated Remote Code Execution (RCE)',
'Telnet Brute-Force Attacks'],
'description': 'A newly uncovered botnet campaign is exploiting a critical '
'vulnerability in TBK digital video recorders (DVRs) to deploy '
'Nexcorium, a Mirai-based malware designed for large-scale '
'distributed denial-of-service (DDoS) attacks. The flaw, '
'CVE-2024-3721 (CVSS 6.3), affects TBK’s DVR-4104 and DVR-4216 '
'models, which remain widely deployed in small businesses, '
'retail outlets, and surveillance systems due to outdated '
'firmware and weak default credentials. Attackers exploit the '
'vulnerability by sending a crafted HTTP request to the '
'endpoint `/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___`, '
'enabling unauthenticated remote code execution (RCE). Once '
'compromised, the device is enslaved into the botnet, with '
'Nexcorium displaying the message *“nexuscorp has taken '
'control”* upon execution. The malware also targets '
'end-of-life TP-Link Wi-Fi routers via CVE-2017-17215, '
'expanding its reach by exploiting unpatched legacy hardware.',
'impact': {'operational_impact': 'Compromised devices enslaved into botnet '
'for DDoS attacks',
'systems_affected': 'TBK DVRs (DVR-4104, DVR-4216) and TP-Link '
'Wi-Fi routers'},
'motivation': 'Large-scale DDoS attacks',
'post_incident_analysis': {'corrective_actions': ['Patch management',
'Device replacement',
'Network segmentation',
'Disabling remote access'],
'root_causes': ['Unpatched TBK DVRs '
'(CVE-2024-3721)',
'Unpatched TP-Link routers '
'(CVE-2017-17215)',
'Weak default credentials',
'Outdated firmware']},
'recommendations': ['Replace affected TBK DVRs and vulnerable TP-Link routers',
'Implement network segmentation',
'Disable unnecessary remote access to DVR management '
'interfaces'],
'references': [{'source': 'Fortinet’s FortiGuard Labs'}],
'response': {'containment_measures': ['Network segmentation',
'Disabling unnecessary remote access to '
'DVR management interfaces'],
'network_segmentation': 'Recommended',
'remediation_measures': ['Replacing affected TBK DVRs',
'Replacing vulnerable TP-Link routers'],
'third_party_assistance': 'Fortinet’s FortiGuard Labs'},
'threat_actor': 'Nexcorium (Mirai-based malware operators)',
'title': 'Nexcorium Botnet Exploits Unpatched TBK DVRs and TP-Link Routers in '
'Large-Scale DDoS Campaign',
'type': 'Botnet / DDoS Campaign',
'vulnerability_exploited': ['CVE-2024-3721 (TBK DVRs)',
'CVE-2017-17215 (TP-Link Routers)']}