Description
A cross-site request forgery (CSRF) vulnerability exists in the web interface of AVTECH IP camera, DVR, and NVR devices. An attacker can craft malicious requests that, when executed in the context of an authenticated user’s browser session, allow unauthorized changes to the device configuration without user interaction.
Published: 2025-07-01
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration changes via CSRF
Action: Apply Patch
AI Analysis

Impact

A cross‑site request forgery vulnerability exists in the web interface of AVTECH IP camera, DVR, and NVR devices. Attacks exploit the website’s lack of anti‑CSRF protection. An attacker, by executing a malicious request in the context of a logged‑in user’s browser session, can change device parameters or settings without the user’s interaction. The weakness is a classic verb‑preserving, state‑changing request without a valid token, classified as CWE‑352. The compromised configuration can affect network connectivity, image capture, or other core functions, providing an attacker with significant operational impact.

Affected Systems

The vulnerability impacts AVTECH DVR devices, AVTECH IP cameras, and AVTECH NVR devices. No specific firmware versions are listed in the advisory, so any device running the affected web interface is potentially susceptible.

Risk and Exploitability

The CVSS score is 5.1, indicating a moderate severity. The EPSS score is below 1 %, suggesting a very low exploitation probability under current threat intelligence. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a web‑based CSRF using an authenticated user’s browser session, which requires remote access to the device’s web UI and an active session from a compromised or malicious site.

Generated by OpenCVE AI on April 28, 2026 at 01:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check AVTECH for firmware updates that fix the CSRF issue and apply them immediately
  • Disable remote web interface access or restrict it to trusted IP addresses to limit the attack surface
  • If the device supports CSRF guard mechanisms, enable them or require authentication tokens on state‑changing requests

Generated by OpenCVE AI on April 28, 2026 at 01:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19647 A cross-site request forgery (CSRF) vulnerability exists in the web interface of AVTECH IP camera, DVR, and NVR devices. An attacker can craft malicious requests that, when executed in the context of an authenticated user’s browser session, allow unauthorized changes to the device configuration without user interaction.
History

Tue, 01 Jul 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Jul 2025 15:00:00 +0000

Type Values Removed Values Added
Description A cross-site request forgery (CSRF) vulnerability exists in the web interface of AVTECH IP camera, DVR, and NVR devices. An attacker can craft malicious requests that, when executed in the context of an authenticated user’s browser session, allow unauthorized changes to the device configuration without user interaction.
Title AVTECH IP Camera, DVR, and NVR Devices Cross-Site Request Forgery
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:09:13.996Z

Reserved: 2025-04-15T19:15:22.548Z

Link: CVE-2025-34050

cve-icon Vulnrichment

Updated: 2025-07-01T18:29:18.916Z

cve-icon NVD

Status : Deferred

Published: 2025-07-01T15:15:22.933

Modified: 2026-06-17T09:13:22.833

Link: CVE-2025-34050

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T01:30:17Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)