[VULNERABILITY ALERT] Merit Lilin | Surveillance Host - OS Command Injection (CVE-2026-0854)

• Subject: [VULNERABILITY ALERT] Merit Lilin | Surveillance Host - OS Command Injection (CVE-2026-0854)

• Content Description:
  • Forwarded from Taiwan Computer Emergency Response Team/Coordination Center Security Alert TWCERTCC-200-202601-00000007
  • [Merit Lilin | Surveillance Host - OS Command Injection] (CVE-2026-0854, CVSS: 8.8) An OS Command Injection vulnerability exists in certain surveillance host models developed by Merit Lilin. An authenticated remote attacker can inject arbitrary operating system commands and execute them on the device.
• Affected Platforms:
  • DH032: versions v1.0.28.3858 (inclusive) and earlier
  • DVR708, DVR716: versions v1.3.4 (inclusive) and earlier
  • DVR804, DVR808, DVR816: versions v1.3.4 (inclusive) and earlier
  • NVR100L, NVR200L, NVR400L, NVR1400L, NVR2400L: versions v1.1.66 (inclusive) and earlier
  • NVR3216, NVR3416, NVR3416r, NVR3816: versions v2.0.74.3921 (inclusive) and earlier
  • NVR5832, NVR5832S: versions v4.0.24.4043 (inclusive) and earlier
  • NVR5104E, NVR5208E, NVR5416E: versions v4.0.24.4078 (inclusive) and earlier
• Recommended Actions:
  • Please refer to the official announcement (M00175) to update the firmware.
• Reference Material:
  1. https://www.twcert.org.tw/tw/cp-132-10624-6599c-1.html
  2. https://www.meritlilin.com/security/indexch.html#Anchor

Computer and Communication Center
Network Systems Division, Respectfully