Description
In Sofia on Xiongmai DVR/NVR (AHB7008T-MH-V2 and NBD7024H-P) 4.03.R11 devices, root OS command injection can occur via shell metacharacters in the HostName value via an authenticated DVRIP protocol (TCP port 34567) request to the NetWork.NetCommon configuration handler, because system() is used.
Published: 2026-03-29
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an attacker who can authenticate to the DVRIP protocol to inject shell metacharacters into the HostName configuration field, causing the device's firmware to invoke the system() function with that string. This results in OS command execution with root privileges, enabling full control over the device and compromising confidentiality, integrity and availability.

Affected Systems

The affected devices are Xiongmai DVR/NVR models AHB7008T-MH-V2 and NBD7024H-P running the Sofia 4.03.R11 firmware. No other versions or models are listed as impacted.

Risk and Exploitability

The CVSS score of 8.8 reflects high severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker must first authenticate to the DVRIP protocol on TCP port 34567. Once authenticated, a crafted HostName value can trigger the vulnerable system() call, giving the attacker unrestricted root access to the underlying operating system.

Generated by OpenCVE AI on March 29, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update released by Xiongmai that removes the vulnerable system() usage.
  • If a patch is unavailable, limit access to TCP port 34567 by firewall rules to trusted networks and enforce multifactor authentication.
  • Change default credentials and enforce a strong password policy to reduce the likelihood of credential compromise.

Generated by OpenCVE AI on March 29, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Xiongmai
Xiongmai dvr/nvr Devices
Vendors & Products Xiongmai
Xiongmai dvr/nvr Devices

Sun, 29 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Title Root OS Command Injection via HostName Field in Xiongmai DVR/NVR

Sun, 29 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description In Sofia on Xiongmai DVR/NVR (AHB7008T-MH-V2 and NBD7024H-P) 4.03.R11 devices, root OS command injection can occur via shell metacharacters in the HostName value via an authenticated DVRIP protocol (TCP port 34567) request to the NetWork.NetCommon configuration handler, because system() is used.
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Xiongmai Dvr/nvr Devices
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-30T14:19:23.210Z

Reserved: 2026-03-25T05:22:12.479Z

Link: CVE-2026-34005

cve-icon Vulnrichment

Updated: 2026-03-30T14:19:18.931Z

cve-icon NVD

Status : Deferred

Published: 2026-03-29T17:16:44.257

Modified: 2026-04-27T19:18:46.690

Link: CVE-2026-34005

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T06:58:05Z

Weaknesses