MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE, contain a web shell that is accessible via a /shell URI. A remote unauthenticated attacker can execute arbitrary operating system commands as root. This vulnerability has also been referred to as the "JAWS webserver RCE" because of the easily identifying HTTP response server field. Other firmware versions, at least from 2014 through 2019, can be affected. This was exploited in the wild in 2017 through 2022.
CVE-2016-20016
Score elevated to 9.8 because EPSS predicts 91% probability of exploitation within the next 30 days (top 0.4% of all CVEs). NVD baseline CVSS 9.8 retained for reference. Confidence: see factors.
- High exploitation likelihood — EPSS 86%
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 9.8
- EG Score
- 9.8(high)
- EPSS
- 99.7%
- KEV
- Not listed
Published
October 19, 2022
Last Modified
May 9, 2025
Advisory Details (3)
Auto-updated May 25, 2026Pwning CCTV cameras | Pen Test Partners
https://www.pentestpartners.com/security-blog/pwning-cctv-cameras/MVPower DVR TV-7104HE 1.8.4 115215B9 - Shell Command Execution (Metasploit) - ARM remote Exploit
https://www.exploit-db.com/exploits/41471IoT_reaper: A Rappid Spreading New IoT Botnet
https://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/Publicly available exploits
(1 reference)Working exploit code is in the public domain (1 Metasploit module). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- Metasploitexploit/linux/http/mvpower_dvr_shell_exec✓ verifiedFirst seen Aug 23, 2015
MVPower DVR Shell Unauthenticated Command Execution
Open source ↗
Frequently asked(5)
What is CVE-2016-20016?
When was CVE-2016-20016 disclosed?
Is CVE-2016-20016 actively exploited?
What is the CVSS score of CVE-2016-20016?
How do I remediate CVE-2016-20016?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2016-20016
Is Your Infrastructure Affected by CVE-2016-20016?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.