Back to search
CVE-2025-34051
Published: Jul 1, 2025
Modified: Apr 7, 2026
PUBLISHED
Description
A server-side request forgery vulnerability exists in multiple firmware versions of AVTECH DVR devices that exposes the /cgi-bin/nobody/Search.cgi?action=cgi_query endpoint without authentication. An attacker can manipulate the ip, port, and queryb64str parameters to make arbitrary HTTP requests from the DVR to internal or external systems, potentially exposing sensitive data or interacting with internal services.
| Vendor | Product | Versions |
|---|---|---|
AVTECH | DVR devices | affected 1001-1000-1000-1000affected 1001-1000-1001-1001affected 1002-1000-1002-1001unaffected 1002-1001-1000-1000affected 1002-1001-1001-1001+67 more versions |
References
https://avtech.com/
product
https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities
third-party-advisory
technical-description
https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns
third-party-advisory
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now