CVE-2025-34051

Vulnerability Description

A server-side request forgery vulnerability exists in multiple firmware versions of AVTECH DVR devices that exposes the /cgi-bin/nobody/Search.cgi?action=cgi_query endpoint without authentication. An attacker can manipulate the ip, port, and queryb64str parameters to make arbitrary HTTP requests from the DVR to internal or external systems, potentially exposing sensitive data or interacting with internal services.

Related Weaknesses (CWE)

References

• https://avtech.com/
• https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns
• https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH
• https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/
• https://www.exploit-db.com/exploits/40500

FAQ

What is CVE-2025-34051?

CVE-2025-34051 is a documented vulnerability. A server-side request forgery vulnerability exists in multiple firmware versions of AVTECH DVR devices that exposes the /cgi-bin/nobody/Search.cgi?action=cgi_query endpoint without authentication. An ...

How severe is CVE-2025-34051?

CVSS scoring is not yet available for CVE-2025-34051. Check NVD for updates.

Is there a patch for CVE-2025-34051?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.