CVE-2025-34054

Name of the Vulnerable Software and Affected Versions: AVTECH DVR devices (affected versions not specified)

Description: An unauthenticated command injection issue exists in AVTECH DVR devices. This is due to the lack of input sanitization when using wget in the "Search.cgi?action=cgi query" endpoint, allowing attackers to inject shell commands through the username or queryb64str parameters. As a result, commands can be executed with root privileges.

Recommendations: For all affected versions, consider disabling access to the "Search.cgi?action=cgi query" endpoint until a patch is available. Restrict the use of the wget command without proper input sanitization to minimize the risk of exploitation. Avoid using the username and queryb64str parameters in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.