CVE-2025-34056
AVTECH IP camera, DVR, and NVR Devices Authenticated Root Command Execution
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
An OS command injection vulnerability exists in AVTECH IP camera, DVR, and NVR devices via the PwdGrp.cgi endpoint, which handles user and group management operations. Authenticated users can supply input through the pwd or grp parameters, which are directly embedded into system commands without proper sanitation. This allows for the execution of arbitrary shell commands with root privileges.
| CWE | CWE-78 CWE-20 |
| Vendor | avtech |
| Product | ip camera, dvr, and nvr devices |
| Published | Jul 1, 2025 |
| Last Updated | Apr 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for avtech ip camera, dvr, and nvr devices
Be the first to know when new unknown vulnerabilities affecting avtech ip camera, dvr, and nvr devices are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
AVTECH / IP camera, DVR, and NVR Devices
0
References
exploit-db.com: https://www.exploit-db.com/exploits/40500 avtech.com: https://avtech.com/ web.archive.org: https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities web.archive.org: https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH vulncheck.com: https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns
Credits
Gergely Eberhardt (SEARCH-LAB.hu)