PT-2025-26992 · Vacron · Vacron Network Video Recorder
Published
2025-06-26
·
Updated
2025-11-17
·
CVE-2025-34043
CVSS v4.0
10
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions:
Vacron Network Video Recorder (NVR) devices version 1.4
Description:
A remote command injection issue exists due to improper input sanitization in the
board.cgi script. This allows unauthenticated attackers to pass arbitrary commands to the underlying operating system via crafted HTTP requests, enabling remote code execution and potential full device compromise.Recommendations:
For Vacron Network Video Recorder (NVR) devices version 1.4, a patch is needed to secure against potential compromise. As a temporary workaround, consider restricting access to the
board.cgi script until a patch is available.Exploit
Fix
RCE
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Vacron Network Video Recorder