Vulnerability Description
An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without input sanitization allows attackers to inject shell commands through the username or queryb64str parameters, executing commands as root. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-04 UTC.
Related Weaknesses (CWE)
References
- https://avtech.com/
- https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns
- https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH
- https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/
- https://www.exploit-db.com/exploits/40500
FAQ
What is CVE-2025-34054?
CVE-2025-34054 is a documented vulnerability. An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without input sanitization allows attackers to inject shell commands th...
How severe is CVE-2025-34054?
CVSS scoring is not yet available for CVE-2025-34054. Check NVD for updates.
Is there a patch for CVE-2025-34054?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.