CVE-2025-34053

AVTECH - Auth Bypass

Title source: llm

Description

An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices’ streamd web server. The strstr() function is used to identify ".cab" requests, allowing any URL containing ".cab" to bypass authentication and access protected endpoints.

Exploits (1)

exploitdb WRITEUP

by Gergely Eberhardt · pythonwebappscgi

https://www.exploit-db.com/exploits/40500

View Code ZIP pw:eip

References (5)

[Various Sources] https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH

[Various Sources] https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities

[Various Sources] https://avtech.com/

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/40500

[Third Party Advisory] https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns

Scores

EPSS 0.0012

EPSS Percentile 30.6%

Classification

CWE

CWE-290

Status draft

Timeline

Published Jul 01, 2025

Tracked Since Feb 18, 2026