CVE-2016-20016

CRITICALNVD 9.89.8
EchelonGraph scoreHIGH confidence

Score elevated to 9.8 because EPSS predicts 91% probability of exploitation within the next 30 days (top 0.4% of all CVEs). NVD baseline CVSS 9.8 retained for reference. Confidence: see factors.

Triggered by: EPSS exploit prediction ≥85%
Sources: epss, ghsa, nvd
Weaponized
9.8
EchelonGraph verdictPatch this weekExploitation is likely or a public exploit exists.
  • High exploitation likelihood — EPSS 86%
CISA-KEV: Not listedEPSS: 86%CVSS: 9.8Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE, contain a web shell that is accessible via a /shell URI. A remote unauthenticated attacker can execute arbitrary operating system commands as root. This vulnerability has also been referred to as the "JAWS webserver RCE" because of the easily identifying HTTP response server field. Other firmware versions, at least from 2014 through 2019, can be affected. This was exploited in the wild in 2017 through 2022.

CVSS v3
9.8
EG Score
9.8(high)
EPSS
99.7%
KEV
Not listed

Published

October 19, 2022

Last Modified

May 9, 2025

Advisory Details (3)

Auto-updated May 25, 2026
🔬 Proof of concept available. No patch confirmed yet.
generic

Pwning CCTV cameras | Pen Test Partners

https://www.pentestpartners.com/security-blog/pwning-cctv-cameras/
generic🟡 PoC Available

MVPower DVR TV-7104HE 1.8.4 115215B9 - Shell Command Execution (Metasploit) - ARM remote Exploit

https://www.exploit-db.com/exploits/41471
generic

IoT_reaper: A Rappid Spreading New IoT Botnet

https://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/

Publicly available exploits

(1 reference)

Working exploit code is in the public domain (1 Metasploit module). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.

  • Metasploitexploit/linux/http/mvpower_dvr_shell_exec✓ verified
    First seen Aug 23, 2015

    MVPower DVR Shell Unauthenticated Command Execution

    Open source ↗

Frequently asked(5)

What is CVE-2016-20016?
CVE-2016-20016 is a critical vulnerability published on October 19, 2022. MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE, contain a web shell that is accessible via a /shell URI. A remote unauthenticated attacker can execute arbitrary operating system commands as root. This vulnerability has also been referred to as the "JAWS webserver RCE"…
When was CVE-2016-20016 disclosed?
CVE-2016-20016 was first published in the National Vulnerability Database on October 19, 2022, with the most recent update on May 9, 2025. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2016-20016 actively exploited?
CVE-2016-20016 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 99.7% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2016-20016?
CVE-2016-20016 has a CVSS v3 base score of 9.8 (NVD).
How do I remediate CVE-2016-20016?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2016-20016, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2016-20016

Explore →

Is Your Infrastructure Affected by CVE-2016-20016?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.