A new multi-CVE campaign documented on AlienVault OTX by LevelBlue is targeting enterprises, public sector bodies, and critical infrastructure operators with a combination of five vulnerabilities spanning a decade of unpatched security debt. The operation is live. The infrastructure is identifiable. And the mix of CVEs involved tells you something important about how modern threat actors think — they don't need a zero-day when your network still runs hardware from 2012.
The campaign ties together CVE-2025-34054, CVE-2022-35914, CVE-2021-27137, CVE-2016-15047, and CVE-2015-2051. That span — from 2015 to 2025 , is not accidental. It reflects a deliberate strategy of opportunistic, broad-surface scanning: exploit whatever is reachable, whatever hasn't been touched by a patch cycle, whatever IT forgot was still switched on in the corner of a branch office or server room. Three of those five CVEs are covered in depth below, because they represent the clearest and most immediate risk to the organisations most likely reading this.
AVTECH digital video recorders are workhorses of physical security infrastructure. You'll find them behind IP cameras in bank branches, government buildings, retail sites, and manufacturing floors. They're often treated as out-of-scope by IT security teams because they belong to facilities management, not the network team. That assumption is now a liability.
CVE-2025-34054 is an unauthenticated command injection flaw affecting the Search.cgi?action=cgi_query endpoint on AVTECH DVR devices. An attacker who can reach that endpoint , no credentials required , can inject shell commands through the username or queryb64str parameters. Those commands execute as root. Full device compromise from a single unauthenticated HTTP request. The CVEDetails entry confirms first observed exploitation by the Shadowserver Foundation on 4 January 2025 UTC, meaning this vulnerability entered active abuse within the first days of the year. It is not theoretical. It was being weaponised before most organisations had finished their January patch review meetings.
The significance here extends beyond the device itself. A compromised DVR sits on your internal network. It can be used as a pivot point , a foothold that lets an attacker reach adjacent segments, capture credentials transmitted over the same network, or enrol the device in a botnet that serves the campaign's broader objectives. Understanding your full attack surface, including IoT and physical security hardware, is no longer optional.
GLPI is an open-source IT asset management and helpdesk platform. It's popular across European enterprises and public sector bodies precisely because it's free, well-documented, and capable of managing large, complex environments. Banks use it. Municipalities use it. Universities use it. And because it's useful, it tends to accumulate data that makes it extremely attractive to attackers.
CVE-2022-35914 allows an unauthenticated attacker to achieve remote code execution on a GLPI installation. No login required. The danger compounds quickly when you think about what GLPI actually holds: privileged credentials, service account tokens, asset inventories, and a complete history of IT tickets that can include passwords shared in plain text, configuration details, and network diagrams submitted by staff who didn't know better. Compromise a GLPI instance and you've potentially got a map of the entire environment alongside the keys to unlock significant parts of it.
The inclusion of this CVE alongside hardware-focused vulnerabilities in the same campaign is telling. This isn't a single-target operation. The actor behind this infrastructure is scanning for any exposed, exploitable service , and GLPI instances, particularly those accessible from the internet or from a DMZ, fit that profile precisely.
Ten years old. Still being actively exploited in a live 2025 campaign. If you need a single data point to justify your end-of-life hardware replacement budget conversation, CVE-2015-2051 is it.
The D-Link DIR-645 router is the subject of this CVE. D-Link no longer supports this device, which means no firmware updates, no patches, and no official remediation path. These routers still appear in branch office networks, in small business environments, and in the network periphery of larger organisations that acquired them through merger, acquisition, or years of decentralised procurement decisions. Vulnerability management programmes that prioritise recent CVEs , perfectly rational from a triage standpoint , often miss decade-old flaws against decade-old hardware that somehow never made it onto the replacement roadmap.
Public exploit code for CVE-2015-2051 is freely and widely available. Any actor with a basic scanning capability can point an automated tool at a network range and identify exposed DIR-645 devices within minutes. The age of the CVE provides no protection whatsoever. If anything, longevity increases the risk: the longer a device has been sitting unpatched, the more likely it's also been forgotten entirely by the team responsible for it.
A threat actor who builds an operation around a single vulnerability is gambling. If you've patched that one flaw , or if the affected product isn't in your environment , they leave empty-handed. That's not the model here. When an actor combines legacy CVEs from 2015 and 2016 with a vulnerability reported in early 2022 and a fresh flaw first exploited in January 2025, they're running a probability game across your entire estate simultaneously.
The logic is straightforward and brutal. Mixed-vintage environments , the combination of modern enterprise software, ageing network appliances, and IoT hardware that has never seen a firmware update , are the most exposed profile. Large organisations almost always have this profile. A global bank has GLPI or a similar ITSM tool. It also has DVRs in fifty branch offices. It probably has legacy routers in markets where hardware refresh cycles run five to seven years. The attacker doesn't need every vulnerability to fire. They need one.
Multi-CVE campaigns also create a detection problem. Your SIEM may be tuned to alert on known exploitation patterns for recent CVEs. It may not be looking for exploitation attempts against a 2015 D-Link vulnerability because no one updated the detection rules for it. The campaign's breadth becomes camouflage , activity against the DIR-645 looks routine and low-priority while the actor simultaneously probes your GLPI instance from the same infrastructure.
Good cyber threat intelligence practice means tracking campaigns holistically, not just individual CVEs in isolation. The infrastructure linking these five vulnerabilities is what matters , because it tells you a single actor is behind all of it.
This campaign doesn't exist in a vacuum. It's part of a broader shift in how sophisticated threat actors approach initial access , one that has been accelerating rapidly and that security teams at enterprises and government bodies need to internalise now.
According to VulnCheck's analysis of exploitation trends, edge device exploitation rose from 3% to 22% of all exploitation-driven breaches in a single year. That's roughly an eightfold increase. Edge appliances , routers, firewalls, VPN concentrators, DVRs, cameras , accounted for 17% of all actively exploited CVEs in the dataset. And 53% of the exploitation activity in this category was attributed to state-sponsored actors.
Read that again. More than half of edge device exploitation is state-sponsored. That's not script kiddies running Shodan queries. That's organised, resourced, persistent operations with geopolitical objectives. When a vulnerability in an AVTECH DVR or a D-Link router appears in a state-linked campaign, the intent is rarely just to compromise one device. It's to establish presence, maintain access, and prepare the ground for whatever comes next.
There are structural reasons why organisations end up with decade-old hardware still connected to live networks. Replacement cycles for physical infrastructure are long and expensive. In government bodies, procurement constraints can mean a device that was approved for a seven-year lifecycle is still running in year eleven because the budget for replacement hasn't cleared. In enterprises, acquisitions and mergers absorb entire IT estates without immediate rationalisation , the acquired company's D-Link routers become your problem, quietly, without anyone flagging them as a risk.
Vulnerability management tools are generally configured to prioritise by CVSS score and recency. A ten-year-old CVE against an end-of-life device often scores below the threshold that generates an urgent ticket. No one patches it. No one replaces the device. It sits there, reachable from the internet or from a compromised internal segment, waiting.
The pattern documented by Trend Micro in its Edge Under Siege research illustrates what this exposure looks like at scale. Earth Estries , also tracked as Salt Typhoon , breached over 600 organisations across 80 countries since 2019, with a strong focus on telecommunications providers. The US Treasury sanctioned an affiliated Chinese company in January 2025. The scale of that single campaign, and its decade-long duration, shows what persistent access through edge devices enables. The AVTECH DVR campaign shares the same structural logic, even if the actors and objectives differ.
If your organisation deploys AVTECH DVR devices for physical security , in any office, data centre, retail location, or government site , you are directly in scope for CVE-2025-34054. Given that these devices are ubiquitous in commercial surveillance systems, that's a wide net.
If you run GLPI as your IT asset management or helpdesk platform, and that instance is reachable from outside your internal network , or reachable from a network segment that an attacker who's already gained initial access could reach , CVE-2022-35914 is a critical exposure. The unauthenticated RCE aspect means network segmentation is your primary defence in the absence of a patch.
If you have D-Link DIR-645 routers anywhere in your estate, they need to be located and replaced. There is no patch. There will be no patch. The only remediation is removal.
Organisations with distributed branch networks are at elevated risk across all three of these attack surfaces simultaneously. A bank with 200 branches, each running a local CCTV system and a router procured five years ago, may have all three vulnerable device types in the same physical locations. Government agencies with regional offices face the same profile. The organisations that think they're not affected because their central IT estate is well-maintained are often the ones with the most exposure in the periphery.
Sector-wise, the campaign's tool selection , DVRs, ITSM platforms, small office routers , maps most directly onto banking and financial services, government and public administration, healthcare (which runs extensive CCTV and often underfunded IT), and telecommunications. But honestly, any enterprise with a distributed footprint and a heterogeneous device estate should be treating this as directly relevant.
The active campaign infrastructure documented on AlienVault OTX uses three IPv4 addresses: 217.160.125.125, 176.100.37.91, and 85.215.131.70. These addresses are currently associated with active exploitation attempts across the five CVEs in this campaign. They should be blocked at the perimeter immediately and checked against historical firewall and proxy logs going back at least 90 days.
Understanding what to do with these addresses , and how to interpret the traffic patterns around them , requires clarity on what indicators of compromise actually represent operationally. An IP address in your logs doesn't confirm a breach; it flags that contact was made. The question is what happened during that contact. Look for HTTP requests to Search.cgi?action=cgi_query on any device in your environment. Look for unusual outbound connections from GLPI servers, particularly to addresses outside your expected traffic baseline. Look for any authentication or command activity originating from the three IPs above against any network device, particularly edge appliances in branch locations.
Expand your IOC search to GLPI access logs. Unauthenticated RCE exploitation for CVE-2022-35914 will typically manifest as unexpected process spawning from the web server process. If you have endpoint detection on the GLPI host, review process creation events. If you don't , and many organisations running GLPI on-premise don't , a forensic review of web server access logs for anomalous request patterns is your starting point.
For the DIR-645 devices, detection is harder because the devices themselves generate minimal usable logs. Network flow data is more useful here: look for unexpected outbound connections from those devices' IP addresses, particularly to the three campaign IPs or to addresses in the same hosting ranges.
Start with an inventory sprint. Right now, this week. Pull every AVTECH DVR, every GLPI instance, and every D-Link DIR-645 from your asset register , and if your asset register doesn't include IoT and physical security hardware, that's the first structural gap to fix. You cannot protect what you haven't catalogued.
For AVTECH DVRs, check whether your vendor has issued a firmware update addressing CVE-2025-34054. If an update exists, deploy it. If it doesn't, restrict network access to the Search.cgi endpoint at the firewall or WAF level immediately. These devices should not be directly reachable from the internet under any circumstances. If they currently are, that's an emergency configuration issue independent of this specific CVE.
For GLPI, prioritise patching to a version that addresses CVE-2022-35914. If you cannot patch immediately , and in enterprise environments with change management processes, "immediately" is relative , then ensure the GLPI interface is not reachable from outside your internal network without authenticated VPN access. Review whether your GLPI instance holds credentials or service account tokens that could be used to move laterally if the platform were compromised, and rotate those credentials proactively.
For DIR-645 routers: replace them. There is no firmware path. Contact your facilities or branch IT teams today and get a count of affected devices. If replacement cannot happen within the next 30 days, isolate those devices on a separate VLAN with no route to sensitive internal segments and block all inbound access from the internet to those devices' management interfaces. That's a stopgap, not a solution , but it reduces the immediate blast radius while procurement runs its course.
Block the three campaign IPs at your perimeter firewall: 217.160.125.125, 176.100.37.91, and 85.215.131.70. Feed them into your SIEM and threat intelligence platform as high-priority IOCs. Run a retrospective search across 90 days of logs before deploying the block , you need to know if contact was already made before you cut the connection.
Finally, review your vulnerability management prioritisation logic. If your tooling deprioritises CVEs below a certain age or CVSS threshold, you have a structural blind spot that this campaign is designed , deliberately or not , to exploit. Legacy CVEs against end-of-life hardware deserve a separate triage track. Age is not a proxy for safety.
Attacks like this one rarely announce themselves through official channels first. New payloads, active infrastructure, and exploitation techniques circulate in closed forums and private channels well before any public research surfaces them. By the time an incident makes it into a threat report, organisations without early visibility are already behind.
Defendis gives your security team that early visibility. We monitor the dark web, underground forums, and threat actor channels so your team receives relevant intelligence before it becomes breaking news , context about emerging threats matched against your organisation's exposure, without requiring your analysts to spend time in places they should not have to go.
Yes. The LevelBlue intelligence documented on AlienVault OTX explicitly includes CVE-2015-2051 as part of this active campaign's exploit set. The D-Link DIR-645 is end-of-life, public exploit code is freely available, and the devices persist in environments where vulnerability management programmes deprioritise older CVEs. Age provides no protection against exploitation. If the device is reachable and unpatched, it is vulnerable regardless of when the CVE was published.
Internal-only reduces your exposure significantly, but doesn't eliminate it. CVE-2022-35914 requires network access to the GLPI interface, not internet access specifically. If an attacker gains initial access to your network through another vector , the AVTECH DVR flaw in the same campaign, for instance , they can then pivot to reach an internal GLPI instance. The combination of vulnerabilities in this campaign is precisely what makes network segmentation between device types so important. An internal GLPI deployment is lower risk than an internet-facing one, but it is not zero risk in the context of a multi-vector campaign operating on the same infrastructure.
CVE-2025-34054 is an unauthenticated command injection vulnerability in AVTECH DVR devices. An attacker who can reach the Search.cgi?action=cgi_query endpoint can inject operating system commands through the username or queryb64str parameters without providing any credentials. Those commands execute with root privileges on the device. In practical terms, this means full control of the DVR from a single unauthenticated HTTP request , the attacker can modify the device's configuration, use it as a network pivot point, enrol it in a botnet, or use it to access other devices on the same network segment.
The use of three distinct IPv4 addresses , 217.160.125.125, 176.100.37.91, and 85.215.131.70 , within a single campaign infrastructure suggests operational maturity rather than a single-node operation. It provides redundancy: if one address is blocked, scanning and exploitation attempts can continue from the others. It also complicates retrospective log analysis, because a defender looking only for one IP may miss activity originating from the other two. Threat intelligence that ties all three to the same campaign, as the AlienVault OTX pulse does, is what makes it possible to block and hunt for all of them together rather than treating each as an isolated event.
It should be at the top of your queue if you have AVTECH DVR devices in your environment. First observed exploitation was documented by the Shadowserver Foundation on 4 January 2025, meaning this vulnerability has been in active abuse for months already. It requires no authentication. It provides root-level command execution. And it is being used right now in a documented live campaign alongside four other vulnerabilities, which means the actor scanning for it is already active and already scanning your address ranges. The combination of unauthenticated access, root execution, and confirmed active exploitation in a live campaign puts this in the category of "patch or isolate before this week's change window closes" , not next sprint's backlog.
