CVE-2026-34005
Root OS Command Injection in Xiongmai DVR/NVR via DVRIP
Publication date: 2026-03-29
Last updated on: 2026-03-29
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xiongmai | dvr_nvr | 4.03.R11 |
| xiongmai | dvr_nvr | From 4.03.R11 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34005 is an OS command injection vulnerability found in certain Xiongmai DVR/NVR devices running firmware version 4.03.R11. The issue occurs in the hostname configuration handling of the Sofia binary, which is accessed via the authenticated DVRIP protocol on TCP port 34567.
Specifically, the vulnerability arises because the device uses the system() function to execute a shell command that includes the hostname value without properly sanitizing or escaping shell metacharacters. This allows an authenticated attacker to inject arbitrary OS commands by crafting malicious hostname input.
The affected devices include DVR model AHB7008T-MH-V2 and NVR model NBD7024H-P with the specified firmware. The vulnerability was discovered through static firmware analysis, reverse engineering, and emulation techniques.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to execute arbitrary commands on the affected device with root privileges by injecting shell metacharacters into the hostname configuration.
- Full control over the device's operating system environment.
- Potential to disrupt device functionality or cause denial of service.
- Ability to manipulate or exfiltrate sensitive data stored or processed by the device.
- Use of the compromised device as a foothold for further attacks within a network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs via an authenticated DVRIP protocol request on TCP port 34567 to the hostname configuration handler. Detection involves monitoring or testing for unauthorized or suspicious hostname configuration changes sent over TCP port 34567.
Since the vulnerability requires authentication and involves injection of shell metacharacters in the HostName value, detection can include checking for unusual or malformed hostname values containing shell metacharacters.
Specific commands to detect exploitation attempts are not provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing the use of shell invocation in the hostname configuration path.
- Replace system() calls with non-shell APIs such as sethostname() to avoid command injection.
- Implement strict allowlist validation of hostname input to reject invalid or malicious characters.
- Reject or escape shell metacharacters in hostname values as a defense-in-depth measure.