CVE-2025-34056
An OS command injection vulnerability exists in AVTECH IP camera, DVR, and NVR devices via the PwdGrp.cgi endpoint, which handles user and group management operations. Authenticated users can supply input through the pwd or grp parameters, which are directly embedded into system commands without proper sanitation. This allows for the execution of arbitrary shell commands with root privileges.
No affected software listed.
- https://avtech.com/
- https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns
- https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH
- https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities
- https://www.exploit-db.com/exploits/40500
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime