Server-Side Request Forgery Vulnerability in AVTECH DVR Devices
CVE-2025-34051

6.9MEDIUM

Key Information:

Vendor: Avtech
Status: Dvr Devices
Vendor: CVE Published:; 1 July 2025

Badges

👾 Exploit Exists

What is CVE-2025-34051?

A significant vulnerability has been identified in various firmware versions of AVTECH DVR devices, specifically concerning the /cgi-bin/nobody/Search.cgi?action=cgi_query endpoint. This exposure, which requires no authentication, allows attackers to manipulate parameters such as ip, port, and queryb64str. As a result, attackers could potentially execute arbitrary HTTP requests from the DVR to both internal and external systems, leading to the possible exposure of sensitive information or unauthorized interactions with internal services.

Affected Version(s)

DVR devices 1001-1000-1000-1000

DVR devices 1001-1000-1001-1001

DVR devices 1002-1000-1002-1001

References

https://www.exploit-db.com/exploits/40500

exploit

https://avtech.com/

product

https://web.archive.org/web/20240810225729/https://www.se...

third-party-advisorytechnical-description

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jul 1, 2025
👾
Exploit known to exist
Jul 1, 2025
Vulnerability published
Jul 1, 2025
Vulnerability Reserved
Apr 15, 2025

Credit

Gergely Eberhardt (SEARCH-LAB.hu)

Avtech

Badges

What is CVE-2025-34051?

Affected Version(s)

References

CVSS V4

Timeline

Credit