Gergely Eberhardt

Name of the Vulnerable Software and Affected Versions: AVTECH IP cameras, DVRs, and NVRs (affected versions not specified) Description: An improper certificate validation issue exists due to the use of wget with --no-check-certificate in scripts like SyncCloudAccount.sh and SyncPermit.sh. This exposes HTTPS communications to man-in-the-middle (MITM) attacks. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: AVTECH IP camera, DVR, and NVR devices (affected versions not specified) Description: An OS command injection issue exists in the devices via the "PwdGrp.cgi" endpoint, which handles user and group management operations. Authenticated users can supply input through the `pwd` or `grp` parameters, which are directly embedded into system commands without proper sanitation. This allows for the execution of arbitrary shell commands with root privileges. Recommendations: As a temporary workaround, consider disabling access to the "PwdGrp.cgi" endpoint until a patch is available. Restrict access to the `pwd` and `grp` parameters in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: AVTECH IP camera, DVR, and NVR devices (affected versions not specified) Description: An authentication bypass issue exists in the streamd web server of AVTECH devices. The `strstr()` function allows unauthenticated access to any request containing "/nobody" in the URL, bypassing login controls. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: AVTECH IP camera, DVR, and NVR devices (affected versions not specified) Description: A cross-site request forgery (CSRF) issue exists in the web interface of the devices. An attacker can craft malicious requests that, when executed in the context of an authenticated user’s browser session, allow unauthorized changes to the device configuration without user interaction. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: AVTECH DVR devices (affected versions not specified) Description: A server-side request forgery issue exists in AVTECH DVR devices, exposing the "/cgi-bin/nobody/Search.cgi?action=cgi query" endpoint without authentication. An attacker can manipulate the `ip`, `port`, and `queryb64str` parameters to make arbitrary HTTP requests from the DVR to internal or external systems, potentially exposing sensitive data or interacting with internal services. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: AVTECH IP cameras, DVRs, and NVRs (affected versions not specified) Description: An unauthenticated information disclosure issue exists, allowing access to sensitive internal device information such as firmware version, MAC address, and codec support without authentication. This is possible via the "Machine.cgi?action=get capability" API endpoint. Recommendations: As a temporary workaround, consider restricting access to the "Machine.cgi?action=get capability" API endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: AVTECH IP camera, DVR, and NVR devices (affected versions not specified) Description: An authentication bypass issue exists in the streamd web server of AVTECH devices. The `strstr()` function is used to identify ".cab" requests, allowing any URL containing ".cab" to bypass authentication and access protected endpoints. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AVTECH DVR (affected versions not specified) **Description** An unauthenticated command injection issue exists in AVTECH DVR devices. The vulnerability occurs because the `wget` utility is used without proper input sanitization in the 'Search.cgi?action=cgi query' endpoint. This allows remote attackers to inject shell commands through the `username` or `queryb64str` parameters, resulting in the execution of arbitrary code with root privileges. Real-world exploitation of this issue was observed by the Shadowserver Foundation on 2025-03-07 UTC. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: AVTECH DVR, NVR, and IP camera devices (affected versions not specified) Description: An OS command injection issue exists within the "adcommand.cgi" endpoint, which interfaces with the ActionD daemon. Authenticated users can invoke the DoShellCmd operation, passing arbitrary input via the `strCmd` parameter. This input is executed directly by the system shell without sanitation, allowing attackers to execute commands as the root user. Recommendations: As a temporary workaround, consider restricting access to the "adcommand.cgi" endpoint to minimize the risk of exploitation. Avoid using the `strCmd` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DNR-326 versions prior to 2.10 build 03 **Description** The issue is related to the `check login` function and is caused by weaknesses in the authentication procedure. It allows a remote attacker to bypass authentication and log in by manipulating the `username` cookie parameter. **Recommendations** For versions prior to 2.10 build 03, update to version 2.10 build 03 or later to resolve the issue. As a temporary workaround, consider restricting access to the `check login` function until a patch is available. Avoid using the `username` cookie parameter in the affected login endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** PuTTY versions 0.62 and earlier WinSCP versions prior to 5.1.6 **Description** The issue is related to an integer overflow that can occur when a remote SSH server sends a negative size value in an RSA key signature during the SSH handshake. This can trigger a heap-based buffer overflow, potentially allowing the execution of arbitrary code in certain applications that use PuTTY, and can cause a denial of service (crash). **Recommendations** For PuTTY versions 0.62 and earlier, update to a version later than 0.62 to resolve the issue. For WinSCP versions prior to 5.1.6, update to version 5.1.6 or later to resolve the issue.