CVE-2025-34043
Vacron NVR Remote Command Execution
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- April 15, 2025
- Published Date
- June 26, 2025
- Last Updated
- May 14, 2026
- Vendor
- Vacron
- Product
- Network Video Recorder (NVR)
- Description
- A remote command injection vulnerability exists in Vacron Network Video Recorder (NVR) devices v1.4 due to improper input sanitization in the board.cgi script. The vulnerability allows unauthenticated attackers to pass arbitrary commands to the underlying operating system via crafted HTTP requests. These commands are executed with the privileges of the web server process, enabling remote code execution and potential full device compromise. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.
CVSS Scores
CVSS v4.0
10.0 - CRITICAL
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
SSVC Information
- Exploitation
- poc
- Automatable
- Yes
- Technical Impact
- total
Exploit Status
- Exploited in the Wild
- Yes (2026-01-10 00:00:00 UTC) Source
References
https://www.tenable.com/plugins/nessus/104124
https://www.sonicwall.com/blog/vacron-network-video-recorder-remote-command-execution
https://ssd-disclosure.com/ssd-advisory-vacron-nvr-remote-command-execution/
https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=30386
https://vulncheck.com/advisories/vacron-nvr-remote-command-execution
https://www.vacron.com/
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| The Shadowserver (via CIRCL) | 2026-01-10 00:00:00 UTC |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel