PT-2026-28591 · Xiongmai · Xiongmai Dvr/Nvr Devices 4.03.R11+2
Uky
·
Published
2026-03-29
·
Updated
2026-03-29
·
CVE-2026-34005
CVSS v3.1
8.8
High
| AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Xiongmai DVR/NVR devices versions 4.03.R11
Xiongmai AHB7008T-MH-V2
Xiongmai NBD7024H-P
Description
A root OS command injection can occur through the use of shell metacharacters in the
HostName value. This occurs via an authenticated DVRIP protocol (TCP port 34567) request to the NetWork.NetCommon configuration handler. The system() function is used, which allows for the execution of arbitrary commands.Recommendations
For Xiongmai DVR/NVR devices version 4.03.R11, avoid using shell metacharacters in the
HostName value.
For Xiongmai AHB7008T-MH-V2, avoid using shell metacharacters in the HostName value.
For Xiongmai NBD7024H-P, avoid using shell metacharacters in the HostName value.Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Xiaongmai Ahb7008T-Mh-V2
Xiongmai Dvr/Nvr Devices 4.03.R11
Xiongmai Nbd7024H-P