CVE-2025-34054

CRITICAL EXPLOITED

AVTECH DVR - Command Injection

Title source: llm

Description

An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without input sanitization allows attackers to inject shell commands through the username or queryb64str parameters, executing commands as root. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-04 UTC.

Exploits (1)

exploitdb WRITEUP
by Gergely Eberhardt · pythonwebappscgi
https://www.exploit-db.com/exploits/40500

References (5)

Scores

CVSS v4 10.0
EPSS 0.0054
EPSS Percentile 67.5%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Details

VulnCheck KEV 2020-10-22
CWE
CWE-78
Status published
Products (16)
AVTECH/IP camera, DVR, and NVR Devices 1008-1002-1005-1000
AVTECH/IP camera, DVR, and NVR Devices 1009-1003-1006-1001
AVTECH/IP camera, DVR, and NVR Devices 1009Y-1003Y-1006Y-1001Y
AVTECH/IP camera, DVR, and NVR Devices 1010-1004-1007-1001
AVTECH/IP camera, DVR, and NVR Devices 1011-1005-1008-1002
AVTECH/IP camera, DVR, and NVR Devices 1014-1005-1009-1002
AVTECH/IP camera, DVR, and NVR Devices 1015-1006-1010-1003
AVTECH/IP camera, DVR, and NVR Devices 1016-1007-1011-1003
AVTECH/IP camera, DVR, and NVR Devices 1017-1008-1012-1002
AVTECH/IP camera, DVR, and NVR Devices 1017Y-1008Y-1012Y-1002Y
... and 6 more
Published Jul 01, 2025
Tracked Since Feb 18, 2026