CVE-2025-34054
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-07-01

Last updated on: 2025-11-20

Assigner: VulnCheck

Description
An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without input sanitization allows attackers to inject shell commands through the username or queryb64str parameters, executing commands as root.Β Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-04 UTC.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-01
Last Modified
2025-11-20
Generated
2026-05-07
AI Q&A
2025-07-01
EPSS Evaluated
2026-05-05
NVD
CVE-2025-34054
EUVD
EUVD-2025-19644
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an unauthenticated command injection in AVTECH DVR devices via the Search.cgi?action=cgi_query endpoint. Attackers can inject shell commands through the username or queryb64str parameters because the device uses wget without properly sanitizing input. This allows execution of arbitrary commands as the root user.


How can this vulnerability impact me? :

This vulnerability can have severe impacts as it allows attackers to execute arbitrary commands with root privileges on the affected device without authentication. This can lead to full system compromise, unauthorized access, data theft, device manipulation, or use of the device in further attacks.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart