CVE-2026-34005 | THREATINT

Description

In Sofia on Xiongmai DVR/NVR (AHB7008T-MH-V2 and NBD7024H-P) 4.03.R11 devices, root OS command injection can occur via shell metacharacters in the HostName value via an authenticated DVRIP protocol (TCP port 34567) request to the NetWork.NetCommon configuration handler, because system() is used.

PUBLISHED Reserved 2026-03-25 | Published 2026-03-29 | Updated 2026-03-30 | Assigner mitre

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status

unknown

4.03.R11 (custom)

affected

References

www.xiongmaitech.com

uky007.github.io/CVE-2026-34005/

cve.org (CVE-2026-34005)

nvd.nist.gov (CVE-2026-34005)

Download JSON