CVE-2025-34054
AVTECH IP camera, DVR, and NVR Devices Unauthenticated Command Injection
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- April 15, 2025
- Published Date
- July 01, 2025
- Last Updated
- April 07, 2026
- Vendor
- AVTECH
- Product
- IP camera, DVR, and NVR Devices
- Description
- An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without input sanitization allows attackers to inject shell commands through the username or queryb64str parameters, executing commands as root. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-04 UTC.
CVSS Scores
CVSS v4.0
10.0 - CRITICAL
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
SSVC Information
- Exploitation
- poc
- Automatable
- Yes
- Technical Impact
- total
Exploit Status
- Exploited in the Wild
- Yes (2026-03-23 00:00:00 UTC) Source
References
https://www.exploit-db.com/exploits/40500
https://avtech.com/
https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities
https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH
https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| The Shadowserver (via CIRCL) | 2026-03-23 00:00:00 UTC |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel