CVE-2016-20016 in CCTV DVR (JAWS)
Summary
by MITRE • 10/19/2022
MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE, contain a web shell that is accessible via a /shell URI. A remote unauthenticated attacker can execute arbitrary operating system commands as root. This vulnerability has also been referred to as the "JAWS webserver RCE" because of the easily identifying HTTP response server field. Other firmware versions, at least from 2014 through 2019, can be affected. This was exploited in the wild in 2017 through 2022.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/09/2025
The CVE-2016-20016 vulnerability represents a critical remote code execution flaw in MVPower CCTV DVR systems that has persisted across multiple firmware versions from 2014 through 2019. This vulnerability specifically affects models including the TV-7104HE with firmware version 1.8.4 115215B9 and TV7108HE devices, creating a persistent security risk for networked surveillance infrastructure. The flaw manifests through an accessible web shell located at the /shell URI endpoint, which operates without authentication requirements, allowing attackers to bypass normal access controls and gain unrestricted system access. The vulnerability's identification as "JAWS webserver RCE" stems from the distinctive HTTP response server field that clearly identifies the affected systems, making exploitation particularly attractive to automated attack tools and malicious actors seeking to compromise surveillance networks.
The technical implementation of this vulnerability stems from improper input validation and inadequate authentication mechanisms within the DVR's web server implementation. The /shell URI endpoint provides direct access to operating system command execution capabilities without requiring any form of authentication or authorization checks, effectively creating a backdoor that allows attackers to execute arbitrary commands with the highest possible privileges. This privilege escalation occurs at the root level, meaning that any commands executed through this interface operate with complete system control, enabling attackers to modify system configurations, install malicious software, exfiltrate recorded footage, or use the compromised devices as entry points for further network infiltration. The vulnerability's persistence across multiple firmware versions indicates a fundamental design flaw in the software architecture rather than a simple patchable bug.
The operational impact of CVE-2016-20016 extends far beyond simple remote code execution, as compromised DVR systems can serve as persistent footholds for broader network attacks. Organizations that deploy these devices in critical infrastructure environments face significant risks including unauthorized surveillance access, data exfiltration, and potential use as launching points for lateral movement within corporate networks. The vulnerability's exploitation in the wild between 2017 and 2022 demonstrates its practical value to threat actors, who have leveraged it to compromise surveillance systems for espionage, data theft, or to create botnet nodes. The ease of exploitation, combined with the lack of authentication requirements, makes these devices particularly attractive targets for automated scanning and exploitation campaigns. Security researchers have documented this vulnerability in the context of IoT botnet infections, where compromised DVR systems contribute to large-scale distributed denial-of-service attacks and persistent surveillance operations.
Mitigation strategies for CVE-2016-20016 require immediate action to address the persistent nature of the vulnerability across multiple firmware versions. Organizations should implement network segmentation to isolate affected DVR systems from critical network segments, disable unnecessary network services, and apply firmware updates from MVPower when available. The vulnerability maps to CWE-20 Improper Input Validation and CWE-305 Authentication Bypass, with exploitation patterns consistent with ATT&CK technique T1059 Command and Scripting Interpreter and T1071.1003 Application Layer Protocol Web Protocols. Network administrators should deploy intrusion detection systems to monitor for access attempts to the /shell URI endpoint and implement firewall rules to block access to affected devices from untrusted networks. The most effective long-term solution involves replacing affected DVR systems with updated models that properly implement authentication mechanisms and input validation controls, as the vulnerability's persistence across multiple firmware versions suggests that patching may not be consistently effective across all deployed instances.