Description
A server-side request forgery vulnerability exists in multiple firmware versions of AVTECH DVR devices that exposes the /cgi-bin/nobody/Search.cgi?action=cgi_query endpoint without authentication. An attacker can manipulate the ip, port, and queryb64str parameters to make arbitrary HTTP requests from the DVR to internal or external systems, potentially exposing sensitive data or interacting with internal services.
Reserved 2025-04-15 | Published 2025-07-01 | Updated 2025-07-01 | Assigner
VulnCheckMEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
Problem types
CWE-918 Server-Side Request Forgery (SSRF)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Product status
Default status
unaffected
1001-1000-1000-1000
affected
1001-1000-1001-1001
affected
1002-1000-1002-1001
affected
1002-1001-1000-1000
unaffected
1002-1001-1001-1001
affected
1004-1002-1001-1000
affected
1004-1002-1003-1000-FFFF
affected
1004V-1002V-1003V-1001V
affected
1004Y-1002Y-1001EJ-1000Y
affected
1004Y-1002Y-1001Y-1000Y
affected
1005-1002-1002-1000
affected
1005-1002-1004-1001
affected
1006-1001-1003-1004
affected
1006-1002-1003-1000
affected
1006Y-1002Y-1003Y-1000Y
affected
1007-1002-1004-1000
affected
1007-1003-1003-1002
affected
1007-1003-1005-1001
affected
1007E-1003E-1005EJ-1001E
affected
1007V-1003V-1005V-1001V
affected
1007Y-1002Y-1004Y-1000Y
affected
1008-1002-1005-1000
affected
1008-1004-1003-1002
affected
1009-1003-1005-1006
affected
1009-1003-1006-1001
affected
1009-1007-1007-1000-FFFF
affected
1009Y-1003Y-1006Y-1001Y
affected
1010-1004-1007-1001
affected
1010-1005-1005-1002
affected
1011-1004-1005-1006
affected
1011-1005-1007-1001
affected
1011-1005-1007EJ-1001
affected
1011-1005-1008-1002
affected
1012-1004-1005-1006
affected
1012-1005-1007-1002
affected
1012-1006-1007-1001
affected
1012-1008-1009-1000-FFFF
affected
1014-1005-1009-1002
affected
1014-1007-1009-1001
affected
1014-1010-1010-1000-FFFF
affected
1014Y-1007Y-1009Y-1001Y
affected
1015-1006-1010-1003
affected
1015-1007-1007-1007
affected
1015-1007-1010-1001
affected
1015-1010-1011-1000-FFFF
affected
1015Y-1007Y-1010Y-1001Y
affected
1016-1007-1005-1001
affected
1016-1007-1011-1001
affected
1016-1007-1011-1003
affected
1016-1008-1007-1007
affected
1016Y-1007Y-1011Y-1001Y
affected
1017-1008-1012-1002
affected
1017-1009-1008-1008
affected
1017-1011-1013-1001-FFFF
affected
1017f-1011f-1013f-1001f-FFFF
affected
1017Y-1008Y-1012Y-1002Y
affected
1018-1008-1012-1004
affected
1019-1009-1013-1003
affected
1019-1010-1009-1009
affected
1019c-1012c-1014c-1001c-FFFF
affected
1021-1011-1010-1009
affected
1022-1012-1011-1009
affected
1022-1014-1016-1002-FFFF
affected
1022Y-1014Y-1016Y-1002Y-FFFF
affected
1023-1013-1011-1009
affected
1023-1014-1017-1002-FFFF
affected
1025-1014-1013-1009
affected
1026-1014-1014-1009
affected
1027-1014-1015-1009
affected
S968-S968-S968-S968
affected
V171P-V171P-V171P-V171P
affected
V189-V189-V189-V189
affected
Credits
Gergely Eberhardt (SEARCH-LAB.hu) finder
References
www.exploit-db.com/exploits/40500 exploit
avtech.com/ product
web.archive.org/...6-AVTech-devices-multiple-vulnerabilities third-party-advisory technical-description
web.archive.org/...1029201749/https://github.com/ebux/AVTECH exploit
vulncheck.com/...ries/avtech-ipcamera-nvr-dvr-mulitple-vulns third-party-advisory
cve.org (CVE-2025-34051)
nvd.nist.gov (CVE-2025-34051)
Download JSON