Description
An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices’ streamd web server. The strstr() function allows unauthenticated access to any request containing "/nobody" in the URL, bypassing login controls.
Published: 2025-07-01
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Patch Now
AI Analysis

Impact

An authentication bypass flaw exists in the streamd web server of AVTECH IP camera, DVR, and NVR devices. The flaw is caused by the strstr() function that permits any HTTP request containing the path fragment "/nobody" to be processed without requiring login credentials, effectively bypassing the device’s authentication mechanism. While the description does not explicitly state what functions become available after bypass, it is inferred that an attacker could access any privileged functionality normally protected by authentication, such as viewing live streams or changing configuration settings.

Affected Systems

The affected equipment is the AVTECH IP camera, DVR, and NVR product line. No specific firmware revisions or model numbers were cited; the vulnerability is reported to affect the base streamd web server present in all AVTECH devices that host this component.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity level. The EPSS score is reported to be less than 1%, suggesting that exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. The most probable attack vector is an unauthenticated HTTP request directed at the device’s web interface, containing the substring "/nobody" in the URL path. If the device is reachable from an untrusted network or the internet, an attacker could exploit this path without any credentials or additional privileges.

Generated by OpenCVE AI on April 28, 2026 at 11:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch or firmware update for AVTECH IP camera, DVR, and NVR devices if available
  • Configure a firewall or reverse proxy to reject any HTTP requests that contain "/nobody" in the URL path
  • Restrict access to the device’s web interface to trusted networks or local hosts only, or disable the interface when it is not needed

Generated by OpenCVE AI on April 28, 2026 at 11:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19641 An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices’ streamd web server. The strstr() function allows unauthenticated access to any request containing "/nobody" in the URL, bypassing login controls.
History

Tue, 01 Jul 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Jul 2025 15:00:00 +0000

Type Values Removed Values Added
Description An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices’ streamd web server. The strstr() function allows unauthenticated access to any request containing "/nobody" in the URL, bypassing login controls.
Title AVTECH IP camera, DVR, and NVR Devices Authentication Bypass via /nobody URL Path
Weaknesses CWE-290
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:09:18.570Z

Reserved: 2025-04-15T19:15:22.549Z

Link: CVE-2025-34065

cve-icon Vulnrichment

Updated: 2025-07-01T18:35:58.115Z

cve-icon NVD

Status : Deferred

Published: 2025-07-01T15:15:25.187

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-34065

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T11:15:26Z

Weaknesses