A Chinese company that manufactures white-labeled DVRs still hasn’t patched a security flaw that’s been targeted by IoT botnets for over a year. The flaw is a severe RCE (Remote Code Execution) bug that allows an attacker to take over a DVR via a simple request. The vulnerability was discovered by security researcher Rotem Kerner in March 2016. TVT has been at the heart of many IoT DDoS attacks during the past year, including the Mirai botnet.
Source: https://www.bleepingcomputer.com/news/security/irresponsible-chinese-dvr-vendor-still-the-target-of-iot-botnets-one-year-later/