Home

Description

A server-side request forgery vulnerability exists in multiple firmware versions of AVTECH DVR devices that exposes the /cgi-bin/nobody/Search.cgi?action=cgi_query endpoint without authentication. An attacker can manipulate the ip, port, and queryb64str parameters to make arbitrary HTTP requests from the DVR to internal or external systems, potentially exposing sensitive data or interacting with internal services.

PUBLISHED Reserved 2025-04-15 | Published 2025-07-01 | Updated 2026-04-07 | Assigner VulnCheck




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

Problem types

CWE-918 Server-Side Request Forgery (SSRF)

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Product status

Default status
unaffected

1001-1000-1000-1000
affected

1001-1000-1001-1001
affected

1002-1000-1002-1001
affected

1002-1001-1000-1000
unaffected

1002-1001-1001-1001
affected

1004-1002-1001-1000
affected

1004-1002-1003-1000-FFFF
affected

1004V-1002V-1003V-1001V
affected

1004Y-1002Y-1001EJ-1000Y
affected

1004Y-1002Y-1001Y-1000Y
affected

1005-1002-1002-1000
affected

1005-1002-1004-1001
affected

1006-1001-1003-1004
affected

1006-1002-1003-1000
affected

1006Y-1002Y-1003Y-1000Y
affected

1007-1002-1004-1000
affected

1007-1003-1003-1002
affected

1007-1003-1005-1001
affected

1007E-1003E-1005EJ-1001E
affected

1007V-1003V-1005V-1001V
affected

1007Y-1002Y-1004Y-1000Y
affected

1008-1002-1005-1000
affected

1008-1004-1003-1002
affected

1009-1003-1005-1006
affected

1009-1003-1006-1001
affected

1009-1007-1007-1000-FFFF
affected

1009Y-1003Y-1006Y-1001Y
affected

1010-1004-1007-1001
affected

1010-1005-1005-1002
affected

1011-1004-1005-1006
affected

1011-1005-1007-1001
affected

1011-1005-1007EJ-1001
affected

1011-1005-1008-1002
affected

1012-1004-1005-1006
affected

1012-1005-1007-1002
affected

1012-1006-1007-1001
affected

1012-1008-1009-1000-FFFF
affected

1014-1005-1009-1002
affected

1014-1007-1009-1001
affected

1014-1010-1010-1000-FFFF
affected

1014Y-1007Y-1009Y-1001Y
affected

1015-1006-1010-1003
affected

1015-1007-1007-1007
affected

1015-1007-1010-1001
affected

1015-1010-1011-1000-FFFF
affected

1015Y-1007Y-1010Y-1001Y
affected

1016-1007-1005-1001
affected

1016-1007-1011-1001
affected

1016-1007-1011-1003
affected

1016-1008-1007-1007
affected

1016Y-1007Y-1011Y-1001Y
affected

1017-1008-1012-1002
affected

1017-1009-1008-1008
affected

1017-1011-1013-1001-FFFF
affected

1017f-1011f-1013f-1001f-FFFF
affected

1017Y-1008Y-1012Y-1002Y
affected

1018-1008-1012-1004
affected

1019-1009-1013-1003
affected

1019-1010-1009-1009
affected

1019c-1012c-1014c-1001c-FFFF
affected

1021-1011-1010-1009
affected

1022-1012-1011-1009
affected

1022-1014-1016-1002-FFFF
affected

1022Y-1014Y-1016Y-1002Y-FFFF
affected

1023-1013-1011-1009
affected

1023-1014-1017-1002-FFFF
affected

1025-1014-1013-1009
affected

1026-1014-1014-1009
affected

1027-1014-1015-1009
affected

S968-S968-S968-S968
affected

V171P-V171P-V171P-V171P
affected

V189-V189-V189-V189
affected

Credits

Gergely Eberhardt (SEARCH-LAB.hu) finder

References

www.exploit-db.com/exploits/40500 exploit

avtech.com/ product

web.archive.org/...6-AVTech-devices-multiple-vulnerabilities third-party-advisory technical-description

web.archive.org/...1029201749/https://github.com/ebux/AVTECH exploit

vulncheck.com/...ries/avtech-ipcamera-nvr-dvr-mulitple-vulns third-party-advisory

cve.org (CVE-2025-34051)

nvd.nist.gov (CVE-2025-34051)

Download JSON