CVE-2025-34051 - Vulnerability Details

- AVTECH DVR Devices Server-Side Request Forgery

Description

A server-side request forgery vulnerability exists in multiple firmware versions of AVTECH DVR devices that exposes the /cgi-bin/nobody/Search.cgi?action=cgi_query endpoint without authentication. An attacker can manipulate the ip, port, and queryb64str parameters to make arbitrary HTTP requests from the DVR to internal or external systems, potentially exposing sensitive data or interacting with internal services.

Published: 2025-07-01

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An unauthenticated attacker can manipulate the ip, port, and queryb64str parameters of the /cgi-bin/nobody/Search.cgi endpoint to cause the affected AVTECH DVR device to issue arbitrary HTTP requests to internal or external systems. Because the endpoint is publicly exposed, the attacker can retrieve sensitive data from internal services or interact with external resources, leading to potential data leakage and unauthorized configuration adjustments. The weakness is a server‑side request forgery (CWE‑918) combined with a potential data‑exposure flaw (CWE‑200).

Affected Systems

AVTECH DVR devices running the firmware versions identified in the advisory are affected. The provided CNA list does not specify exact firmware revisions, but any device that exposes the /cgi-bin/nobody/Search.cgi endpoint without authentication is vulnerable. Administrators should review firmware documentation for their installed version and verify whether the Search.cgi endpoint remains exposed.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while the EPSS score of < 1% shows that exploitation is currently unlikely and the vulnerability is not listed in the CISA KEV catalog. If an attacker can reach the exposed endpoint—typically via the device’s HTTP interface over a local or scoped network—they can initiate outbound requests from the DVR to arbitrary hosts, potentially exfiltrating data or attacking internal services. The likely attack vector is a remote or local network request to the vulnerable endpoint, inferred from the need to reach /cgi-bin/nobody/Search.cgi.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

AVTECH

DVR devices

unaffected

Version	Status	Constraints
`1001-1000-1000-1000`	affected	—
`1001-1000-1001-1001`	affected	—
`1002-1000-1002-1001`	affected	—
`1002-1001-1000-1000`	unaffected	—
`1002-1001-1001-1001`	affected	—
`1004-1002-1001-1000`	affected	—
`1004-1002-1003-1000-FFFF`	affected	—
`1004V-1002V-1003V-1001V`	affected	—
`1004Y-1002Y-1001EJ-1000Y`	affected	—
`1004Y-1002Y-1001Y-1000Y`	affected	—
`1005-1002-1002-1000`	affected	—
`1005-1002-1004-1001`	affected	—
`1006-1001-1003-1004`	affected	—
`1006-1002-1003-1000`	affected	—
`1006Y-1002Y-1003Y-1000Y`	affected	—
`1007-1002-1004-1000`	affected	—
`1007-1003-1003-1002`	affected	—
`1007-1003-1005-1001`	affected	—
`1007E-1003E-1005EJ-1001E`	affected	—
`1007V-1003V-1005V-1001V`	affected	—
`1007Y-1002Y-1004Y-1000Y`	affected	—
`1008-1002-1005-1000`	affected	—
`1008-1004-1003-1002`	affected	—
`1009-1003-1005-1006`	affected	—
`1009-1003-1006-1001`	affected	—
`1009-1007-1007-1000-FFFF`	affected	—
`1009Y-1003Y-1006Y-1001Y`	affected	—
`1010-1004-1007-1001`	affected	—
`1010-1005-1005-1002`	affected	—
`1011-1004-1005-1006`	affected	—
`1011-1005-1007-1001`	affected	—
`1011-1005-1007EJ-1001`	affected	—
`1011-1005-1008-1002`	affected	—
`1012-1004-1005-1006`	affected	—
`1012-1005-1007-1002`	affected	—
`1012-1006-1007-1001`	affected	—
`1012-1008-1009-1000-FFFF`	affected	—
`1014-1005-1009-1002`	affected	—
`1014-1007-1009-1001`	affected	—
`1014-1010-1010-1000-FFFF`	affected	—
`1014Y-1007Y-1009Y-1001Y`	affected	—
`1015-1006-1010-1003`	affected	—
`1015-1007-1007-1007`	affected	—
`1015-1007-1010-1001`	affected	—
`1015-1010-1011-1000-FFFF`	affected	—
`1015Y-1007Y-1010Y-1001Y`	affected	—
`1016-1007-1005-1001`	affected	—
`1016-1007-1011-1001`	affected	—
`1016-1007-1011-1003`	affected	—
`1016-1008-1007-1007`	affected	—
`1016Y-1007Y-1011Y-1001Y`	affected	—
`1017-1008-1012-1002`	affected	—
`1017-1009-1008-1008`	affected	—
`1017-1011-1013-1001-FFFF`	affected	—
`1017f-1011f-1013f-1001f-FFFF`	affected	—
`1017Y-1008Y-1012Y-1002Y`	affected	—
`1018-1008-1012-1004`	affected	—
`1019-1009-1013-1003`	affected	—
`1019-1010-1009-1009`	affected	—
`1019c-1012c-1014c-1001c-FFFF`	affected	—
`1021-1011-1010-1009`	affected	—
`1022-1012-1011-1009`	affected	—
`1022-1014-1016-1002-FFFF`	affected	—
`1022Y-1014Y-1016Y-1002Y-FFFF`	affected	—
`1023-1013-1011-1009`	affected	—
`1023-1014-1017-1002-FFFF`	affected	—
`1025-1014-1013-1009`	affected	—
`1026-1014-1014-1009`	affected	—
`1027-1014-1015-1009`	affected	—
`S968-S968-S968-S968`	affected	—
`V171P-V171P-V171P-V171P`	affected	—
`V189-V189-V189-V189`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade firmware to a revision where the /cgi-bin/nobody/Search.cgi endpoint requires authentication or has been removed.
Strictly restrict network access to the DVR’s HTTP interface, using firewall rules or VLAN isolation to prevent unauthorized reach.
If firmware upgrades or endpoint removal are not feasible, disable or block the /cgi-bin/nobody/Search.cgi endpoint through local device configuration or a reverse‑proxy that rejects the request.
Monitor outbound traffic from the DVR for unusual or unapproved destination requests to detect potential exploitation.

Generated by OpenCVE AI on April 28, 2026 at 01:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-19631	A server-side request forgery vulnerability exists in multiple firmware versions of AVTECH DVR devices that exposes the /cgi-bin/nobody/Search.cgi?action=cgi_query endpoint without authentication. An attacker can manipulate the ip, port, and queryb64str parameters to make arbitrary HTTP requests from the DVR to internal or external systems, potentially exposing sensitive data or interacting with internal services.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00397.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://avtech.com/
https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns
https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH
https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities
https://www.exploit-db.com/exploits/40500

History

Tue, 01 Jul 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 01 Jul 2025 15:00:00 +0000

Type	Values Removed	Values Added
Description		A server-side request forgery vulnerability exists in multiple firmware versions of AVTECH DVR devices that exposes the /cgi-bin/nobody/Search.cgi?action=cgi_query endpoint without authentication. An attacker can manipulate the ip, port, and queryb64str parameters to make arbitrary HTTP requests from the DVR to internal or external systems, potentially exposing sensitive data or interacting with internal services.
Title		AVTECH DVR Devices Server-Side Request Forgery
Weaknesses		CWE-200 CWE-918
References		https://avtech.com/ https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities https://www.exploit-db.com/exploits/40500
Metrics		cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2025-07-01T14:44:22.913Z

Updated: 2026-04-07T14:09:14.685Z

Reserved: 2025-04-15T19:15:22.548Z

Link: CVE-2025-34051

Vulnrichment

Updated: 2025-07-01T14:54:53.451Z

NVD

Status : Deferred

Published: 2025-07-01T15:15:23.467

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-34051

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T01:30:17Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object