Critical severityNVD Advisory· Published Jul 1, 2025· Updated Apr 15, 2026

CVE-2025-34054

Description

An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without input sanitization allows attackers to inject shell commands through the username or queryb64str parameters, executing commands as root. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-04 UTC.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

avtech.comnvd
vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulnsnvd
web.archive.org/web/20161029201749/https://github.com/ebux/AVTECHnvd
web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilitiesnvd
www.exploit-db.com/exploits/40500nvd

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000