Back to search
CVE-2025-34055
Published: Jul 1, 2025
Modified: Apr 7, 2026
PUBLISHED
Description
An OS command injection vulnerability exists in AVTECH DVR, NVR, and IP camera devices within the adcommand.cgi endpoint, which interfaces with the ActionD daemon. Authenticated users can invoke the DoShellCmd operation, passing arbitrary input via the strCmd parameter. This input is executed directly by the system shell without sanitation allowing attackers to execute commands as the root user.
| Vendor | Product | Versions |
|---|---|---|
AVTECH | IP camera, DVR, and NVR Devices | affected 1001-1000-1000-1000affected 1002-1000-1000-1000affected 1002-1001-1001-1001affected 1003-1000-1001-1000affected 1003-1001-1001-1000+148 more versions |
References
https://avtech.com/
product
https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities
third-party-advisory
technical-description
https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns
third-party-advisory
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now