Description
An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices’ streamd web server. The strstr() function is used to identify ".cab" requests, allowing any URL containing ".cab" to bypass authentication and access protected endpoints.
Published: 2025-07-01
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to Protected Endpoints
Action: Apply Update
AI Analysis

Impact

AVTECH IP camera, DVR, and NVR devices expose a streamd web server that performs a simple string search with strstr() for the substring ".cab". Any HTTP request whose URL contains the ".cab" string causes the server to skip authentication checks and grant direct access to protected endpoints. This flaw allows an attacker to retrieve or manipulate sensitive device data without valid credentials, potentially leading to unauthorized monitoring, configuration changes, or data exfiltration.

Affected Systems

The affected products are AVTECH IP cameras, DVRs, and NVR devices. The CVE does not list specific firmware or software versions; the flaw exists in the streamd web server component of the devices as described.

Risk and Exploitability

The Vulnerability has a CVSS score of 6.9, indicating moderate severity. The EPSS score is reported as <1%, implying a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, and the publicly available exploit-db reference suggests that an exploit has been demonstrated. The likely attack vector is a network‑based URL manipulation targeting the device’s web interface. Due to the absence of a mandatory authentication bypass, the flaw does not provide remote code execution by itself, but it exposes significant internal endpoints, increasing the potential impact if combined with other weaknesses.

Generated by OpenCVE AI on April 28, 2026 at 18:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install any AVTECH firmware or software patch that closes the authentication bypass (CWE-290) for the streamd web server.
  • Configure network or device firewalls to block HTTP requests containing the string ".cab" so the server cannot bypass authentication.
  • Conduct internal security testing to confirm that authentication is enforced on all web endpoints, and audit logs for any access outside normal authentication flows.

Generated by OpenCVE AI on April 28, 2026 at 18:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19645 An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices’ streamd web server. The strstr() function is used to identify ".cab" requests, allowing any URL containing ".cab" to bypass authentication and access protected endpoints.
History

Tue, 01 Jul 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Jul 2025 15:00:00 +0000

Type Values Removed Values Added
Description An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices’ streamd web server. The strstr() function is used to identify ".cab" requests, allowing any URL containing ".cab" to bypass authentication and access protected endpoints.
Title AVTECH IP camera, DVR, and NVR Devices Authentication Bypass via .cab Path Manipulation
Weaknesses CWE-290
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:09:15.581Z

Reserved: 2025-04-15T19:15:22.548Z

Link: CVE-2025-34053

cve-icon Vulnrichment

Updated: 2025-07-01T18:30:50.237Z

cve-icon NVD

Status : Deferred

Published: 2025-07-01T15:15:23.760

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-34053

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:00:20Z

Weaknesses