CVE-2025-34050

The web interface of AVTECH IP cameras, DVRs, and NVRs lacks cross-site request forgery (CSRF) protection, allowing an attacker to forge requests on behalf of an authenticated user [2][3]. This vulnerability is part of a larger set of issues identified in AVTECH devices, including plaintext password storage and unauthenticated information disclosure [3].

To exploit the CSRF vulnerability, an attacker crafts a malicious request and tricks an authenticated user into executing it, typically by hosting a specially crafted webpage. If the user has an active session, the attacker can change any device configuration without further interaction. Additionally, if the default admin password has not been changed, the attacker can log in via CSRF and then perform arbitrary actions [2][3].

Successful exploitation allows an attacker to modify device settings, potentially gaining persistent access to the device, disrupting surveillance operations, or using the device as a pivot for further attacks. Since many AVTECH devices are exposed to the internet (over 130,000 according to Shodan), this vulnerability poses a significant risk [3].

AVTECH has not released an official patch for this vulnerability, though users are advised to update to the latest firmware and change default passwords. Given the age of the advisory (first published in 2016) and the continued exposure of devices, this vulnerability may still be exploitable in unpatched systems [1][2].