Ip Camera, Dvr, And Nvr Devices
Approved changes feed: RSS · Atom
cpe:2.3:a:avtech:ip_camera,_dvr,_and_nvr_devices:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Avtech (064374b9-08a7-5b62-a2bd-77f43f7d6e76) |
|---|---|
| Product | Ip Camera, Dvr, And Nvr Devices (5fa0ba95-2d38-5c88-8bef-a5c269944569) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-34065 |
vulnerable | 2026-06-03 15:00:43.524848 |
AVTECH IP camera, DVR, and NVR Devices Authentication Bypass via /nobody URL Path
An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices’ streamd web server. The strstr() function allows unauthenticated access to any request containing "/nobody" in the URL, bypassing login controls.
Published: 2025-07-01T14:47:23.621Z
Updated: 2026-04-07T14:09:18.570Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-34056 |
vulnerable | 2026-06-03 15:00:43.506904 |
AVTECH IP camera, DVR, and NVR Devices Authenticated Root Command Execution
An OS command injection vulnerability exists in AVTECH IP camera, DVR, and NVR devices via the PwdGrp.cgi endpoint, which handles user and group management operations. Authenticated users can supply input through the pwd or grp parameters, which are directly embedded into system commands without proper sanitation. This allows for the execution of arbitrary shell commands with root privileges.
Published: 2025-07-01T14:46:52.800Z
Updated: 2026-04-07T14:09:17.710Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-34055 |
vulnerable | 2026-06-03 15:00:43.506435 |
AVTECH IP camera, DVR, and NVR Devices Authenticated Root Command Execution
An OS command injection vulnerability exists in AVTECH DVR, NVR, and IP camera devices within the adcommand.cgi endpoint, which interfaces with the ActionD daemon. Authenticated users can invoke the DoShellCmd operation, passing arbitrary input via the strCmd parameter. This input is executed directly by the system shell without sanitation allowing attackers to execute commands as the root user.
Published: 2025-07-01T14:46:38.848Z
Updated: 2026-04-07T14:09:16.960Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-34054 |
vulnerable | 2026-06-03 15:00:43.505570 |
AVTECH IP camera, DVR, and NVR Devices Unauthenticated Command Injection
An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without input sanitization allows attackers to inject shell commands through the username or queryb64str parameters, executing commands as root. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-04 UTC.
Published: 2025-07-01T14:46:00.832Z
Updated: 2026-04-07T14:09:16.220Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-34053 |
vulnerable | 2026-06-03 15:00:43.504857 |
AVTECH IP camera, DVR, and NVR Devices Authentication Bypass via .cab Path Manipulation
An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices’ streamd web server. The strstr() function is used to identify ".cab" requests, allowing any URL containing ".cab" to bypass authentication and access protected endpoints.
Published: 2025-07-01T14:45:02.858Z
Updated: 2026-04-07T14:09:15.581Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.