OS Command Injection Vulnerability in AVTECH DVR and IP Camera Devices
CVE-2025-34055

9.4CRITICAL

Key Information:

Vendor: Avtech
Status: Ip Camera, Dvr, And Nvr Devices
Vendor: CVE Published:; 1 July 2025

Badges

👾 Exploit Exists

What is CVE-2025-34055?

An OS command injection vulnerability exists within AVTECH DVR, NVR, and IP camera devices, specifically at the adcommand.cgi endpoint interfacing with the ActionD daemon. This vulnerability allows authenticated users to invoke the DoShellCmd operation, executing arbitrary commands by passing unvalidated input through the strCmd parameter. Consequently, this input is processed directly by the system shell, enabling potential attackers to execute commands with root privileges, posing significant security risks to the affected devices.

Affected Version(s)

IP camera, DVR, and NVR Devices 1001-1000-1000-1000

IP camera, DVR, and NVR Devices 1002-1000-1000-1000

IP camera, DVR, and NVR Devices 1002-1001-1001-1001

References

https://www.exploit-db.com/exploits/40500

exploit

https://avtech.com/

product

https://web.archive.org/web/20240810225729/https://www.se...

third-party-advisorytechnical-description

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jul 1, 2025
👾
Exploit known to exist
Jul 1, 2025
Vulnerability published
Jul 1, 2025
Vulnerability Reserved
Apr 15, 2025

Credit

Gergely Eberhardt (SEARCH-LAB.hu)

Avtech

Badges

What is CVE-2025-34055?

Affected Version(s)

References

CVSS V4

Timeline

Credit