Description
An OS command injection vulnerability exists in AVTECH DVR, NVR, and IP camera devices within the adcommand.cgi endpoint, which interfaces with the ActionD daemon. Authenticated users can invoke the DoShellCmd operation, passing arbitrary input via the strCmd parameter. This input is executed directly by the system shell without sanitation allowing attackers to execute commands as the root user.
Reserved 2025-04-15 | Published 2025-07-01 | Updated 2025-07-01 | Assigner
VulnCheckCRITICAL: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Problem types
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-20 Improper Input Validation
Product status
Default status
unaffected
1001-1000-1000-1000
affected
1002-1000-1000-1000
affected
1002-1001-1001-1001
affected
1003-1000-1001-1000
affected
1003-1001-1001-1000
affected
1003-1001-1001-1001
affected
1004-1000-1000-1000
affected
1004-1001-1001-1001
affected
1004-1001-1002-1000
affected
1004-1002-1001-1000
affected
1004V-1002V-1003V-1001V
affected
1004Y-1002Y-1001EJ-1000Y
affected
1005-1001-1002-1000
affected
1005-1002-1001-1002
affected
1005-1002-1002-1000
affected
1005-1002-1004-1001
affected
1006-1001-1003-1000
affected
1006-1001-1003-1003
affected
1006-1002-1001-1002
affected
1006-1002-1003-1000
affected
1006R-1002R-1001R-1002R
affected
1007-1001-1003-1000
affected
1007-1001-1003-1003
affected
1007-1002-1004-1000
affected
1007-1003-1005-1001
affected
1007E-1003E-1005EJ-1001E
affected
1007V-1003V-1005V-1001V
affected
1008-1001-1001-1001
affected
1008-1002-1002-1003
affected
1008-1002-1005-1000
affected
1008-1003-1005-1003
affected
1008-1004-1003-1002
affected
1009-1001-1002-1001
affected
1009-1001-1004-1000
affected
1009-1003-1006-1001
affected
1009-1004-1005-1006
affected
1009-1004-1006-1003
affected
1009Y-1003Y-1006Y-1001Y
affected
1010-1001-1003-1001
affected
1010-1001-1004-1005
affected
1010-1002-1005-1000
affected
1010-1004-1007-1001
affected
1010-1005-1005-1002
affected
1011-1002-1004-1001
affected
1011-1002-1006-1000
affected
1011-1005-1007EJ-1001
affected
1011-1005-1008-1002
affected
1012-1002-1004-1001
affected
1012-1002-1006-1005
affected
1012-1002-1007-1004
affected
1012-1003-1001-1005
affected
1012-1003-1005-1005
affected
1012-1004-1008-1008
affected
1012-1008-1009-1000-FFFF
affected
1013-1002-1006-1005
affected
1013-1003-1005-1001
affected
1013-1004-1008-1003
affected
1013-1004-1008-1008
affected
1014-1002-1007-1004
affected
1014-1003-1006-1001
affected
1014-1003-1006PL-1001
affected
1014-1003-1007-1001
affected
1014-1004-1008-1008
affected
1014-1005-1009-1002
affected
1014-1007-1009-1001
affected
1014L-1002L-1006L-1005L
affected
1015-1006-1004-1002
affected
1015-1006-1005-1002
affected
1015-1006-1008-1002
affected
1015-1006-1008-1007
affected
1015-1006-1010-1003
affected
1015-1007-1007-1007
affected
1015K-1006K-1008PO-1002K
affected
1015Y-1007Y-1010Y-1001Y
affected
1016-1003-1007-1001
affected
1016-1004-1009-1009
affected
1016-1006-1008-1007
affected
1016-1007-1005-1001
affected
1016-1007-1009-1003
affected
1016-1007-1011-1001
affected
1016-1007-1011-1003
affected
1016-1008-1007-1007
affected
1016Y-1007Y-1011Y-1001Y
affected
1017-1002-1008-1005
affected
1017-1003-1007-1002
affected
1017-1003-1008-1006
affected
1017-1008-1012-1002
affected
1017-1011-1013-1001-FFFF
affected
1017k-1003k-1008k-1006k
affected
1017Y-1008Y-1012Y-1002Y
affected
1018-1003-1005-1004
affected
1018-1003-1007-1002
affected
1018-1003-1008-1003
affected
1018-1003-1008-1004
affected
1018-1003-1008PO-1003
affected
1018-1006-1009-1007
affected
1018-1007-1009-1003
affected
1018-1008-1012-1004
affected
1019-1003-1007-1002
affected
1019-1003-1008-1001
affected
1019-1004-1009-1007
affected
1019-1007-1009-1003
affected
1019-1009-1013-1003
affected
1019-1010-1009-1009
affected
1019c-1012c-1014c-1001c-FFFF
affected
1020-1003-1008-1003
affected
1020-1003-1008-1004
affected
1020-1003-1010-1006
affected
1020-1004-1009-1007
affected
1020-1005-1011-1010
affected
1020-1005-1012-1007
affected
1020-1007-1008-1003
affected
1020-1007-1009-1003
affected
1021-1003-1008-1003
affected
1021-1003-1008-1004
affected
1021-1005-1011-1010
affected
1021-1007-1010-1003
affected
1021L-1003L-1010L-1006L
affected
1021r-1004r-1009r-1007r
affected
1022-1003-1008-1002
affected
1022-1004-1009-1007
affected
1022-1007-1012-1007
affected
1022-1012-1011-1009
affected
1022-1014-1016-1002-FFFF
affected
1022L-1004L-1011L-1006L
affected
1022L-1005L-1011L-1010L
affected
1022Y-1014Y-1016Y-1002Y-FFFF
affected
1023-1004-1010-1007
affected
1023-1014-1017-1002-FFFF
affected
1025-1006-1013-1011
affected
1025-1008-1013-1008
affected
1025-1014-1013-1009
affected
1027-1008-1012-1008
affected
1027-1008-1013-1008
affected
1027-1014-1015-1009
affected
1027L-1006L-1015L-1009L
affected
1028-1007-1014-1012
affected
1029-1007-1014-1008
affected
1030-1007-1014-1012
affected
1030-1008-1014-1008
affected
1031-1007-1015-1012
affected
1032-1007-1015-1008
affected
1032k-1007k-1015k-1008k
affected
1036r-1008r-1016r-1009r
affected
1037-1008-1017-1009
affected
S749-S749-S749-S749
affected
S820-S820-S820-S820
affected
S823-S823-S823-S823
affected
S855-S855-S855-S855
affected
S914V-S914V-S914V-S914V
affected
S968-S968-S968-S968
affected
S984-S984-S984-S984
affected
T717-T717-T717-T717
affected
Credits
Gergely Eberhardt (SEARCH-LAB.hu) finder
References
www.exploit-db.com/exploits/40500 exploit
avtech.com/ product
web.archive.org/...6-AVTech-devices-multiple-vulnerabilities third-party-advisory technical-description
web.archive.org/...1029201749/https://github.com/ebux/AVTECH exploit
vulncheck.com/...ries/avtech-ipcamera-nvr-dvr-mulitple-vulns third-party-advisory
cve.org (CVE-2025-34055)
nvd.nist.gov (CVE-2025-34055)
Download JSON