Critical severityNVD Advisory· Published Jul 1, 2025· Updated Apr 15, 2026

CVE-2025-34055

Description

An OS command injection vulnerability exists in AVTECH DVR, NVR, and IP camera devices within the adcommand.cgi endpoint, which interfaces with the ActionD daemon. Authenticated users can invoke the DoShellCmd operation, passing arbitrary input via the strCmd parameter. This input is executed directly by the system shell without sanitation allowing attackers to execute commands as the root user.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

avtech.comnvd
vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulnsnvd
web.archive.org/web/20161029201749/https://github.com/ebux/AVTECHnvd
web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilitiesnvd
www.exploit-db.com/exploits/40500nvd

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000