Almost exactly what I expected—a breakdown of open communication between your modem and router. Now, I don't use Bridge Mode on Spectrum systems; rather, I set my router/gateway device as DMZ on the Spectrum modem. That way, Spectrum can do their remote management without changing anything. I've had them reset their modem—restoring most of their default settings, including turning the built-in WiFi back on—while managing to retain the DMZ setting. Also, this tells me you're using an older Spectrum modem, as all the newer Spectrum modems operate in Bridge Mode by default and have only one Ethernet port, while the WiFi and routing are done in a separate cube device now, which you can disconnect and replace with your own router.
For what it's worth, I would like to "temper" what a lot of users on here have said about Port Forwarding being a great evil. It is not as "blanket bad" as they're saying it is, and VPNs aren't the great solution they're saying either. If someone hacks your VPN, they've got complete access to your entire network without having to compromise a forwarded device. Port Forwarding is actually far more safer as only one resource is forwarded, and ironically, port forwarding the first step to accessing your VPN! (They don't realize this because the "port forward" happens automatically in the router with the VPN.) I have actually done some high security work for a few companies who needed to access things like license servers and remote desktops offsite. They wanted to use a VPN. I said no, citing the above reasons (and more), choosing to install individual "secure tunnels" on our server to the specific network resources that were needed.
The real issue here is trust.
@CCTVCam here shared a great video demonstrating what is possible for a hacker on a non-trustworthy device. For example, I would never trust an IP camera or NVR/DVR; those ports should not be forwarded to the Internet. However, I do trust
Blue Iris. I also trust my webserver (I wrote the code). Both of these pieces of software have hacking protection built-in and lack POSTing ability. Obviously, someone here trusts their webserver plus whatever forum software this website is running, or we wouldn't be here on this forum. In the case of the secure tunnels mentioned above, I trust
stunnel, a piece of software you can also put in front of Blue Iris to give it HTTPS capability for an additional layer of security. For people copping out and saying that a VPN is the magical solution, they are trusting their router's built-in VPN server as well as every single user they supply their private key to. And if that private key gets compromised/into the wrong hands, every device on their network is fair game to a hacker.
In your case, because you're dealing with accessing a 3rd-party device, you don't have much of an option besides a VPN, although an intelligently setup VPN could potentially be firewalled from all devices on your network except for the NVR to further reduce the risk.