CVE-2026-34005
Received Received - Intake
Root OS Command Injection in Xiongmai DVR/NVR via DVRIP

Publication date: 2026-03-29

Last updated on: 2026-03-29

Assigner: MITRE

Description
In Sofia on Xiongmai DVR/NVR (AHB7008T-MH-V2 and NBD7024H-P) 4.03.R11 devices, root OS command injection can occur via shell metacharacters in the HostName value via an authenticated DVRIP protocol (TCP port 34567) request to the NetWork.NetCommon configuration handler, because system() is used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-29
Last Modified
2026-03-29
Generated
2026-06-16
AI Q&A
2026-03-29
EPSS Evaluated
2026-06-14
NVD
CVE-2026-34005
EUVD
EUVD-2026-17041
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
xiongmai dvr_nvr 4.03.R11
xiongmai dvr_nvr From 4.03.R11 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34005 is an OS command injection vulnerability found in certain Xiongmai DVR/NVR devices running firmware version 4.03.R11. The issue occurs in the hostname configuration handling of the Sofia binary, which is accessed via the authenticated DVRIP protocol on TCP port 34567.

Specifically, the vulnerability arises because the device uses the system() function to execute a shell command that includes the hostname value without properly sanitizing or escaping shell metacharacters. This allows an authenticated attacker to inject arbitrary OS commands by crafting malicious hostname input.

The affected devices include DVR model AHB7008T-MH-V2 and NVR model NBD7024H-P with the specified firmware. The vulnerability was discovered through static firmware analysis, reverse engineering, and emulation techniques.

Impact Analysis

This vulnerability allows an authenticated attacker to execute arbitrary commands on the affected device with root privileges by injecting shell metacharacters into the hostname configuration.

  • Full control over the device's operating system environment.
  • Potential to disrupt device functionality or cause denial of service.
  • Ability to manipulate or exfiltrate sensitive data stored or processed by the device.
  • Use of the compromised device as a foothold for further attacks within a network.
Detection Guidance

This vulnerability occurs via an authenticated DVRIP protocol request on TCP port 34567 to the hostname configuration handler. Detection involves monitoring or testing for unauthorized or suspicious hostname configuration changes sent over TCP port 34567.

Since the vulnerability requires authentication and involves injection of shell metacharacters in the HostName value, detection can include checking for unusual or malformed hostname values containing shell metacharacters.

Specific commands to detect exploitation attempts are not provided in the available information.

Mitigation Strategies

Immediate mitigation steps include preventing the use of shell invocation in the hostname configuration path.

  • Replace system() calls with non-shell APIs such as sethostname() to avoid command injection.
  • Implement strict allowlist validation of hostname input to reject invalid or malicious characters.
  • Reject or escape shell metacharacters in hostname values as a defense-in-depth measure.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34005. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart