CVE-2025-34054
AVTECH IP camera, DVR, and NVR Devices Unauthenticated Command Injection
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without input sanitization allows attackers to inject shell commands through the username or queryb64str parameters, executing commands as root. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-04 UTC.
| CWE | CWE-78 |
| Vendor | avtech |
| Product | ip camera, dvr, and nvr devices |
| Published | Jul 1, 2025 |
| Last Updated | Apr 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for avtech ip camera, dvr, and nvr devices
Be the first to know when new unknown vulnerabilities affecting avtech ip camera, dvr, and nvr devices are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
AVTECH / IP camera, DVR, and NVR Devices
1008-1002-1005-1000 1009-1003-1006-1001 1009Y-1003Y-1006Y-1001Y 1010-1004-1007-1001 1011-1005-1008-1002 1014-1005-1009-1002 1015-1006-1010-1003 1016-1007-1011-1003 1017-1008-1012-1002 1017Y-1008Y-1012Y-1002Y 1018-1008-1012-1004 1019-1009-1013-1003 1019c-1012c-1014c-1001c-FFFF 1022-1014-1016-1002-FFFF 1022Y-1014Y-1016Y-1002Y-FFFF 1023-1014-1017-1002-FFFF
References
exploit-db.com: https://www.exploit-db.com/exploits/40500 avtech.com: https://avtech.com/ web.archive.org: https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities web.archive.org: https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH vulncheck.com: https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns
Credits
Gergely Eberhardt (SEARCH-LAB.hu)