Remote Command Injection in Vacron Network Video Recorder Devices
CVE-2025-34043

10CRITICAL

Key Information:

Vendor

Vacron

Status
Network Video Recorder (nvr)
Vendor
CVE Published:
26 June 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-34043?

A critical security flaw exists in Vacron Network Video Recorder devices v1.4 due to improper input sanitization within the board.cgi script. This vulnerability allows unauthenticated attackers to execute arbitrary commands on the underlying operating system by sending specially crafted HTTP requests. The executed commands run with the privileges of the web server process, enabling attackers to achieve remote code execution, leading to potential full device compromise. Organizations using affected versions of Vacron NVR devices should implement mitigation measures immediately to safeguard against unauthorized access and control.

Affected Version(s)

Network Video Recorder (NVR) 1.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-34043 - Proof of Concept

References

https://www.tenable.com/plugins/nessus/104124
third-party-advisory
https://www.sonicwall.com/blog/vacron-network-video-recor...
third-party-advisorysignaturetechnical-description
https://ssd-disclosure.com/ssd-advisory-vacron-nvr-remote...
third-party-advisoryexploit

CVSS V4

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-34043 : Remote Command Injection in Vacron Network Video Recorder Devices