OS Command Injection in AVTECH IP Camera and DVR Products
CVE-2025-34056

9.4CRITICAL

Key Information:

Vendor: Avtech
Status: Ip Camera, Dvr, And Nvr Devices
Vendor: CVE Published:; 1 July 2025

Badges

👾 Exploit Exists

What is CVE-2025-34056?

An OS command injection vulnerability is present in AVTECH IP cameras, DVRs, and NVR devices, specifically through the PwdGrp.cgi endpoint, which handles user and group management. When authenticated users interact with the pwd or grp parameters, their input is integrated directly into system commands without adequate validation. This significant oversight enables unauthorized execution of arbitrary shell commands with root-level privileges, posing a substantial risk to device integrity and security.

Affected Version(s)

IP camera, DVR, and NVR Devices 0

References

https://www.exploit-db.com/exploits/40500

exploit

https://avtech.com/

product

https://web.archive.org/web/20240810225729/https://www.se...

third-party-advisorytechnical-description

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jul 1, 2025
👾
Exploit known to exist
Jul 1, 2025
Vulnerability published
Jul 1, 2025
Vulnerability Reserved
Apr 15, 2025

Credit

Gergely Eberhardt (SEARCH-LAB.hu)

Avtech

Badges

What is CVE-2025-34056?

Affected Version(s)

References

CVSS V4

Timeline

Credit