Critical severityNVD Advisory· Published Jul 1, 2025· Updated Apr 15, 2026
CVE-2025-34054
CVE-2025-34054
Description
An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without input sanitization allows attackers to inject shell commands through the username or queryb64str parameters, executing commands as root. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-04 UTC.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
References
5- avtech.comnvd
- vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulnsnvd
- web.archive.org/web/20161029201749/https://github.com/ebux/AVTECHnvd
- web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilitiesnvd
- www.exploit-db.com/exploits/40500nvd
News mentions
2- ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and MoreThe Hacker News · Jun 8, 2026
- New Gafgyt Variant Targets Multiple Linux Architectures With Modular PropagationCyber Security News · Jun 5, 2026