POSTING DATE: 2026/01/14

[VULNERABILITY ALERT] Merit Lilin | Surveillance Host - OS Command Injection (CVE-2026-0854)

  • Subject: [VULNERABILITY ALERT] Merit Lilin | Surveillance Host - OS Command Injection (CVE-2026-0854)


  • Content Description:
    • Forwarded from Taiwan Computer Emergency Response Team/Coordination Center Security Alert TWCERTCC-200-202601-00000007
    • [Merit Lilin | Surveillance Host - OS Command Injection] (CVE-2026-0854, CVSS: 8.8) An OS Command Injection vulnerability exists in certain surveillance host models developed by Merit Lilin. An authenticated remote attacker can inject arbitrary operating system commands and execute them on the device.
  • Affected Platforms:
    • DH032: versions v1.0.28.3858 (inclusive) and earlier
    • DVR708, DVR716: versions v1.3.4 (inclusive) and earlier
    • DVR804, DVR808, DVR816: versions v1.3.4 (inclusive) and earlier
    • NVR100L, NVR200L, NVR400L, NVR1400L, NVR2400L: versions v1.1.66 (inclusive) and earlier
    • NVR3216, NVR3416, NVR3416r, NVR3816: versions v2.0.74.3921 (inclusive) and earlier
    • NVR5832, NVR5832S: versions v4.0.24.4043 (inclusive) and earlier
    • NVR5104E, NVR5208E, NVR5416E: versions v4.0.24.4078 (inclusive) and earlier
  • Recommended Actions:
    • Please refer to the official announcement (M00175) to update the firmware.
  • Reference Material:
    1. https://www.twcert.org.tw/tw/cp-132-10624-6599c-1.html
    2. https://www.meritlilin.com/security/indexch.html#Anchor

Computer and Communication Center
Network Systems Division, Respectfully