CVE-2025-34054 CRITICAL

CVE-2025-34054: AVTECH IP camera, DVR, and NVR Devices Unauthenticated Command Injection

Vendor Avtech
Product IP camera, DVR, and NVR Devices
Weakness CWE-78
Published July 1, 2025
Last update April 7, 2026

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without input sanitization allows attackers to inject shell commands through the username or queryb64str parameters, executing commands as root. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-04 UTC.

Key dates

02Disclosure timeline

July 1, 2025 CVE published
April 7, 2026 Record updated