Unrated severityNVD Advisory· Published Oct 19, 2022· Updated May 9, 2025

CVE-2016-20016

Description

MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE, contain a web shell that is accessible via a /shell URI. A remote unauthenticated attacker can execute arbitrary operating system commands as root. This vulnerability has also been referred to as the "JAWS webserver RCE" because of the easily identifying HTTP response server field. Other firmware versions, at least from 2014 through 2019, can be affected. This was exploited in the wild in 2017 through 2022.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

MVPower/CCTV DVRdescription
MVPower/CCTV DVRllm-create

Patches

Vulnerability mechanics

References

blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/mitre
www.exploit-db.com/exploits/41471mitre
www.pentestpartners.com/security-blog/pwning-cctv-cameras/mitre

News mentions

What do Ports Hear When Nobody's Listening? An Assessment of Automated Cybercrime [Guest Diary], (Wed, Jun 24th)
SANS Internet Storm Center · Jun 25, 2026

cvss	0.000
epss	0.069
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000