"With CVE-2018-9995, all you need to do is hit the URL for the embedded web-server that controls the device with this cookie header: "Cookie: uid=admin." The DVR then returns the root login and password in the clear. 55,000 devices with this vulnerability have been indexed by the Shodan search engine."
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9995