CVE-2026-34005

HIGH

Xiongmai DVR/NVR devices 4.03.R11 - Authenticated OS Command Injection via HostName Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-34005. PoCs published by uky007.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-34005, an OS command injection vulnerability in Xiongmai DVR/NVR devices. It includes root cause analysis, affected models, and mitigation guidance, but does not contain exploit code.

Description

In Sofia on Xiongmai DVR/NVR (AHB7008T-MH-V2 and NBD7024H-P) 4.03.R11 devices, root OS command injection can occur via shell metacharacters in the HostName value via an authenticated DVRIP protocol (TCP port 34567) request to the NetWork.NetCommon configuration handler, because system() is used.

Exploits (1)

nomisec WRITEUP 1 stars

by uky007 · poc

https://github.com/uky007/CVE-2026-34005

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2026-34005, an OS command injection vulnerability in Xiongmai DVR/NVR devices. It includes root cause analysis, affected models, and mitigation guidance, but does not contain exploit code.

Classification

Writeup 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Theoretical

Target: Xiongmai DVR/NVR (Sofia binary) V4.03.R11

Auth required

Prerequisites: DVRIP authentication · access to hostname configuration interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 08, 2026 Full analysis →

References (2)

Core 2

Core References

https://www.xiongmaitech.com

https://uky007.github.io/CVE-2026-34005/

Scores

CVSS v3 8.8

EPSS 0.0154

EPSS Percentile 71.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

Xiongmai/DVR/NVR devices 4.03.R11

Published Mar 29, 2026

Tracked Since Mar 29, 2026