CVE-2025-34051

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Name of the Vulnerable Software and Affected Versions: AVTECH DVR devices (affected versions not specified)

Description: A server-side request forgery issue exists in AVTECH DVR devices, exposing the "/cgi-bin/nobody/Search.cgi?action=cgi query" endpoint without authentication. An attacker can manipulate the ip, port, and queryb64str parameters to make arbitrary HTTP requests from the DVR to internal or external systems, potentially exposing sensitive data or interacting with internal services.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Information Disclosure

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-918

Related Identifiers

CVE-2025-34051

Affected Products

Avtech Dvr

CVE-2025-34051

Weakness Enumeration

Related Identifiers

Affected Products

References · 8