CVE-2025-34055

N/A Unknown

Published: July 01, 2025 Modified: April 15, 2026

Description

An OS command injection vulnerability exists in AVTECH DVR, NVR, and IP camera devices within the adcommand.cgi endpoint, which interfaces with the ActionD daemon. Authenticated users can invoke the DoShellCmd operation, passing arbitrary input via the strCmd parameter. This input is executed directly by the system shell without sanitation allowing attackers to execute commands as the root user.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://avtech.com/

Source: disclosure@vulncheck.com

https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns

Source: disclosure@vulncheck.com

https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH

Source: disclosure@vulncheck.com

https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities

Source: disclosure@vulncheck.com

https://www.exploit-db.com/exploits/40500

Source: disclosure@vulncheck.com

5 reference(s) from NVD

Quick Stats

CVSS v3 Score

N/A / 10.0

EPSS (Exploit Probability)

1.8%

83th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-20 CWE-78

Related CVEs

CVE-2026-42615 7.2

CVE-2026-23773 4.3

CVE-2026-40560 N/A

CVE-2026-7363 N/A

CVE-2026-7361 N/A