CVE-2025-34055 - Vulnerability Details

- AVTECH IP camera, DVR, and NVR Devices Authenticated Root Command Execution

Description

An OS command injection vulnerability exists in AVTECH DVR, NVR, and IP camera devices within the adcommand.cgi endpoint, which interfaces with the ActionD daemon. Authenticated users can invoke the DoShellCmd operation, passing arbitrary input via the strCmd parameter. This input is executed directly by the system shell without sanitation allowing attackers to execute commands as the root user.

Published: 2025-07-01

Score: 9.4 Critical

EPSS: 1.8% Low

KEV: No

Impact:

Action:

Analysis

Impact

An authenticated user can call the DoShellCmd operation through the adcommand.cgi endpoint on AVTECH DVR, NVR, and IP camera devices. The strCmd parameter is passed unfiltered to the system shell, enabling arbitrary OS command execution with the privileges of the ActionD daemon. The result is full compromise of the device as root, allowing an attacker to modify, delete, or exfiltrate data, install persistent malware, or use the device in a larger attack chain. The weakness reflects improper input validation and unsafe command construction (CWE-20, CWE-78).

Affected Systems

AVTECH IP camera, DVR, and NVR devices.

Risk and Exploitability

The CVSS score of 9.4 classifies this flaw as critical, indicating exploitation would give an attacker total control over the affected device. The EPSS score of 2% suggests that, while the vulnerability exists, it is currently seldom exploited in the wild. The vendor has not listed this issue in the CISA KEV catalog. Exploitation requires valid credentials, so the attack vector is typically internal or involves phishing to gain authenticated access. Once authenticated, an attacker can trigger any shell command, resulting in a full root compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

AVTECH

IP camera, DVR, and NVR Devices

unaffected

Version	Status	Constraints
`1001-1000-1000-1000`	affected	—
`1002-1000-1000-1000`	affected	—
`1002-1001-1001-1001`	affected	—
`1003-1000-1001-1000`	affected	—
`1003-1001-1001-1000`	affected	—
`1003-1001-1001-1001`	affected	—
`1004-1000-1000-1000`	affected	—
`1004-1001-1001-1001`	affected	—
`1004-1001-1002-1000`	affected	—
`1004-1002-1001-1000`	affected	—
`1004V-1002V-1003V-1001V`	affected	—
`1004Y-1002Y-1001EJ-1000Y`	affected	—
`1005-1001-1002-1000`	affected	—
`1005-1002-1001-1002`	affected	—
`1005-1002-1002-1000`	affected	—
`1005-1002-1004-1001`	affected	—
`1006-1001-1003-1000`	affected	—
`1006-1001-1003-1003`	affected	—
`1006-1002-1001-1002`	affected	—
`1006-1002-1003-1000`	affected	—
`1006R-1002R-1001R-1002R`	affected	—
`1007-1001-1003-1000`	affected	—
`1007-1001-1003-1003`	affected	—
`1007-1002-1004-1000`	affected	—
`1007-1003-1005-1001`	affected	—
`1007E-1003E-1005EJ-1001E`	affected	—
`1007V-1003V-1005V-1001V`	affected	—
`1008-1001-1001-1001`	affected	—
`1008-1002-1002-1003`	affected	—
`1008-1002-1005-1000`	affected	—
`1008-1003-1005-1003`	affected	—
`1008-1004-1003-1002`	affected	—
`1009-1001-1002-1001`	affected	—
`1009-1001-1004-1000`	affected	—
`1009-1003-1006-1001`	affected	—
`1009-1004-1005-1006`	affected	—
`1009-1004-1006-1003`	affected	—
`1009Y-1003Y-1006Y-1001Y`	affected	—
`1010-1001-1003-1001`	affected	—
`1010-1001-1004-1005`	affected	—
`1010-1002-1005-1000`	affected	—
`1010-1004-1007-1001`	affected	—
`1010-1005-1005-1002`	affected	—
`1011-1002-1004-1001`	affected	—
`1011-1002-1006-1000`	affected	—
`1011-1005-1007EJ-1001`	affected	—
`1011-1005-1008-1002`	affected	—
`1012-1002-1004-1001`	affected	—
`1012-1002-1006-1005`	affected	—
`1012-1002-1007-1004`	affected	—
`1012-1003-1001-1005`	affected	—
`1012-1003-1005-1005`	affected	—
`1012-1004-1008-1008`	affected	—
`1012-1008-1009-1000-FFFF`	affected	—
`1013-1002-1006-1005`	affected	—
`1013-1003-1005-1001`	affected	—
`1013-1004-1008-1003`	affected	—
`1013-1004-1008-1008`	affected	—
`1014-1002-1007-1004`	affected	—
`1014-1003-1006-1001`	affected	—
`1014-1003-1006PL-1001`	affected	—
`1014-1003-1007-1001`	affected	—
`1014-1004-1008-1008`	affected	—
`1014-1005-1009-1002`	affected	—
`1014-1007-1009-1001`	affected	—
`1014L-1002L-1006L-1005L`	affected	—
`1015-1006-1004-1002`	affected	—
`1015-1006-1005-1002`	affected	—
`1015-1006-1008-1002`	affected	—
`1015-1006-1008-1007`	affected	—
`1015-1006-1010-1003`	affected	—
`1015-1007-1007-1007`	affected	—
`1015K-1006K-1008PO-1002K`	affected	—
`1015Y-1007Y-1010Y-1001Y`	affected	—
`1016-1003-1007-1001`	affected	—
`1016-1004-1009-1009`	affected	—
`1016-1006-1008-1007`	affected	—
`1016-1007-1005-1001`	affected	—
`1016-1007-1009-1003`	affected	—
`1016-1007-1011-1001`	affected	—
`1016-1007-1011-1003`	affected	—
`1016-1008-1007-1007`	affected	—
`1016Y-1007Y-1011Y-1001Y`	affected	—
`1017-1002-1008-1005`	affected	—
`1017-1003-1007-1002`	affected	—
`1017-1003-1008-1006`	affected	—
`1017-1008-1012-1002`	affected	—
`1017-1011-1013-1001-FFFF`	affected	—
`1017k-1003k-1008k-1006k`	affected	—
`1017Y-1008Y-1012Y-1002Y`	affected	—
`1018-1003-1005-1004`	affected	—
`1018-1003-1007-1002`	affected	—
`1018-1003-1008-1003`	affected	—
`1018-1003-1008-1004`	affected	—
`1018-1003-1008PO-1003`	affected	—
`1018-1006-1009-1007`	affected	—
`1018-1007-1009-1003`	affected	—
`1018-1008-1012-1004`	affected	—
`1019-1003-1007-1002`	affected	—
`1019-1003-1008-1001`	affected	—
`1019-1004-1009-1007`	affected	—
`1019-1007-1009-1003`	affected	—
`1019-1009-1013-1003`	affected	—
`1019-1010-1009-1009`	affected	—
`1019c-1012c-1014c-1001c-FFFF`	affected	—
`1020-1003-1008-1003`	affected	—
`1020-1003-1008-1004`	affected	—
`1020-1003-1010-1006`	affected	—
`1020-1004-1009-1007`	affected	—
`1020-1005-1011-1010`	affected	—
`1020-1005-1012-1007`	affected	—
`1020-1007-1008-1003`	affected	—
`1020-1007-1009-1003`	affected	—
`1021-1003-1008-1003`	affected	—
`1021-1003-1008-1004`	affected	—
`1021-1005-1011-1010`	affected	—
`1021-1007-1010-1003`	affected	—
`1021L-1003L-1010L-1006L`	affected	—
`1021r-1004r-1009r-1007r`	affected	—
`1022-1003-1008-1002`	affected	—
`1022-1004-1009-1007`	affected	—
`1022-1007-1012-1007`	affected	—
`1022-1012-1011-1009`	affected	—
`1022-1014-1016-1002-FFFF`	affected	—
`1022L-1004L-1011L-1006L`	affected	—
`1022L-1005L-1011L-1010L`	affected	—
`1022Y-1014Y-1016Y-1002Y-FFFF`	affected	—
`1023-1004-1010-1007`	affected	—
`1023-1014-1017-1002-FFFF`	affected	—
`1025-1006-1013-1011`	affected	—
`1025-1008-1013-1008`	affected	—
`1025-1014-1013-1009`	affected	—
`1027-1008-1012-1008`	affected	—
`1027-1008-1013-1008`	affected	—
`1027-1014-1015-1009`	affected	—
`1027L-1006L-1015L-1009L`	affected	—
`1028-1007-1014-1012`	affected	—
`1029-1007-1014-1008`	affected	—
`1030-1007-1014-1012`	affected	—
`1030-1008-1014-1008`	affected	—
`1031-1007-1015-1012`	affected	—
`1032-1007-1015-1008`	affected	—
`1032k-1007k-1015k-1008k`	affected	—
`1036r-1008r-1016r-1009r`	affected	—
`1037-1008-1017-1009`	affected	—
`S749-S749-S749-S749`	affected	—
`S820-S820-S820-S820`	affected	—
`S823-S823-S823-S823`	affected	—
`S855-S855-S855-S855`	affected	—
`S914V-S914V-S914V-S914V`	affected	—
`S968-S968-S968-S968`	affected	—
`S984-S984-S984-S984`	affected	—
`T717-T717-T717-T717`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Obtain and install the latest firmware or vendor patch that sanitizes input for the adcommand.cgi endpoint or removes the DoShellCmd feature.
If a patch is not yet available, restrict or disable authentication for the ActionD daemon and expose the endpoint only to trusted internal networks using network segmentation and firewall rules.
Consider disabling the ActionD daemon entirely or replacing it with a secure alternative to eliminate the command injection vector.
Implement routine vulnerability scans of AVTECH devices and monitor for anomalous system shell activity in logs.

Generated by OpenCVE AI on April 28, 2026 at 11:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-19643	An OS command injection vulnerability exists in AVTECH DVR, NVR, and IP camera devices within the adcommand.cgi endpoint, which interfaces with the ActionD daemon. Authenticated users can invoke the DoShellCmd operation, passing arbitrary input via the strCmd parameter. This input is executed directly by the system shell without sanitation allowing attackers to execute commands as the root user.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01786.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://avtech.com/
https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns
https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH
https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities
https://www.exploit-db.com/exploits/40500

History

Wed, 02 Jul 2025 08:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 01 Jul 2025 15:00:00 +0000

Type	Values Removed	Values Added
Description		An OS command injection vulnerability exists in AVTECH DVR, NVR, and IP camera devices within the adcommand.cgi endpoint, which interfaces with the ActionD daemon. Authenticated users can invoke the DoShellCmd operation, passing arbitrary input via the strCmd parameter. This input is executed directly by the system shell without sanitation allowing attackers to execute commands as the root user.
Title		AVTECH IP camera, DVR, and NVR Devices Authenticated Root Command Execution
Weaknesses		CWE-20 CWE-78
References		https://avtech.com/ https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities https://www.exploit-db.com/exploits/40500
Metrics		cvssV4_0 `{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2025-07-01T14:46:38.848Z

Updated: 2026-04-07T14:09:16.960Z

Reserved: 2025-04-15T19:15:22.548Z

Link: CVE-2025-34055

Vulnrichment

Updated: 2025-07-01T18:33:17.019Z

NVD

Status : Deferred

Published: 2025-07-01T15:15:24.053

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-34055

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T11:15:26Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object