ByteOS Network

NVD Vulnerability Details :

CVE-2025-34056

Awaiting Analysis

Source-disclosure@vulncheck.com

Published At-01 Jul, 2025 | 15:15

Updated At-03 Jul, 2025 | 15:14

An OS command injection vulnerability exists in AVTECH IP camera, DVR, and NVR devices via the PwdGrp.cgi endpoint, which handles user and group management operations. Authenticated users can supply input through the pwd or grp parameters, which are directly embedded into system commands without proper sanitation. This allows for the execution of arbitrary shell commands with root privileges.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	9.4	CRITICAL	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Secondary

Version: 4.0

Base score: 9.4

Base severity: CRITICAL

Vector:

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Weaknesses

CWE ID	Type	Source
CWE-20	Secondary	disclosure@vulncheck.com
CWE-78	Secondary	disclosure@vulncheck.com

CWE ID: CWE-20

Type: Secondary

Source: disclosure@vulncheck.com

CWE ID: CWE-78

Type: Secondary

Source: disclosure@vulncheck.com

References

Hyperlink	Source	Resource
https://avtech.com/	disclosure@vulncheck.com	N/A
https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns	disclosure@vulncheck.com	N/A
https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH	disclosure@vulncheck.com	N/A
https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities	disclosure@vulncheck.com	N/A
https://www.exploit-db.com/exploits/40500	disclosure@vulncheck.com	N/A