Description
An OS command injection vulnerability exists in AVTECH IP camera, DVR, and NVR devices via the PwdGrp.cgi endpoint, which handles user and group management operations. Authenticated users can supply input through the pwd or grp parameters, which are directly embedded into system commands without proper sanitation. This allows for the execution of arbitrary shell commands with root privileges.
Published: 2025-07-01
Score: 9.4 Critical
EPSS: 2.0% Low
KEV: No
Impact: Root‑level Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An OS command injection flaw exists in the PwdGrp.cgi endpoint of AVTECH IP camera, DVR, and NVR devices. The CGI accepts authenticated user input through the pwd and grp fields and concatenates it directly into system shell commands without any sanitization. This missing input validation allows an authenticated user to run arbitrary shell commands as if they were the root user. The flaw is a classic example of CWE‑20 (Improper Input Validation) and CWE‑78 (OS Command Injection).

Affected Systems

AVTECH IP camera, DVR, and NVR devices are affected, but specific firmware or model versions are not disclosed in the advisory. The vulnerability impacts all devices that expose the PwdGrp.cgi interface to authenticated users. Since the advisory references multiple device types, it is reasonable to assume that all AVTECH surveillance and DVR/NVR platforms that use this CGI are at risk unless already upgraded.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.4, indicating a high severity and a likely remote exploitation. The EPSS score is 2 %, indicating a low probability of exploitation in the wild. The exploit requires authentication with privileges that allow access to the user/group management interface, so it is primarily an internal‑network or privileged‑account attack vector. It is not currently listed in the CISA KEV catalog, but once patched it should be reviewed. The attacker could achieve full control over the device, compromising confidentiality, integrity, and availability.

Generated by OpenCVE AI on April 28, 2026 at 11:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware or security patch released by AVTECH that fixes the PwdGrp.cgi command injection flaw.
  • Restrict network access to the PwdGrp.cgi endpoint by configuring firewall rules or VLAN segmentation so only trusted administrators can reach it.
  • Disable or remove unnecessary administrative accounts and enforce least‑privilege policies so that only essential users can modify user or group settings.

Generated by OpenCVE AI on April 28, 2026 at 11:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19642 An OS command injection vulnerability exists in AVTECH IP camera, DVR, and NVR devices via the PwdGrp.cgi endpoint, which handles user and group management operations. Authenticated users can supply input through the pwd or grp parameters, which are directly embedded into system commands without proper sanitation. This allows for the execution of arbitrary shell commands with root privileges.
History

Tue, 01 Jul 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 01 Jul 2025 15:00:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in AVTECH IP camera, DVR, and NVR devices via the PwdGrp.cgi endpoint, which handles user and group management operations. Authenticated users can supply input through the pwd or grp parameters, which are directly embedded into system commands without proper sanitation. This allows for the execution of arbitrary shell commands with root privileges.
Title AVTECH IP camera, DVR, and NVR Devices Authenticated Root Command Execution
Weaknesses CWE-20
CWE-78
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:09:17.710Z

Reserved: 2025-04-15T19:15:22.549Z

Link: CVE-2025-34056

cve-icon Vulnrichment

Updated: 2025-07-01T18:34:35.332Z

cve-icon NVD

Status : Deferred

Published: 2025-07-01T15:15:24.203

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-34056

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T11:15:26Z

Weaknesses