← volver
CVE-2025-34054

AVTECH IP camera, DVR, and NVR Devices Unauthenticated Command Injection

CVSS 10 CRITICALEPSS 2.7%CWE-78
Vexday Risk Score
48Atención
Decisión SSVC (CISA)
Attend
PoC disponible → seguir de cerca
CVSS 10EPSS 2.7%KEV nãoPoC públicaNuclei Metasploit Patch
Ciclo de vida
01 jul 2025Publicada en NVD
Recomendación: Planificar corrección próxima — ya existe PoC pública.
An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without input sanitization allows attackers to inject shell commands through the username or queryb64str parameters, executing commands as root. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-04 UTC.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Productos afectados
AVTECH · IP camera, DVR, and NVR Devices
PoCs públicas encontradas2
cve_referenceweb.archive.org/web/20161029201749/https://github.com/ebux/AVTECHno verificadocve_referencewww.exploit-db.com/exploits/40500no verificado
⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://avtech.com/https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulnshttps://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECHhttps://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilitieshttps://www.exploit-db.com/exploits/40500