Back to search
CVE-2025-34054
Published: Jul 1, 2025
Modified: Apr 7, 2026
PUBLISHED
Description
An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without input sanitization allows attackers to inject shell commands through the username or queryb64str parameters, executing commands as root. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-04 UTC.
| Vendor | Product | Versions |
|---|---|---|
AVTECH | IP camera, DVR, and NVR Devices | affected 1008-1002-1005-1000affected 1009-1003-1006-1001affected 1009Y-1003Y-1006Y-1001Yaffected 1010-1004-1007-1001affected 1011-1005-1008-1002+11 more versions |
Weaknesses (CWE)
References
https://avtech.com/
product
https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities
third-party-advisory
technical-description
https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns
third-party-advisory
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now