fkie_nvd - fkie_cve-2025-34050

FKIE_CVE-2025-34050

Vulnerability from fkie_nvd - Published: 2025-07-01 15:15 - Updated: 2025-07-03 15:14

Severity ?

5.1 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Summary

A cross-site request forgery (CSRF) vulnerability exists in the web interface of AVTECH IP camera, DVR, and NVR devices. An attacker can craft malicious requests that, when executed in the context of an authenticated user’s browser session, allow unauthorized changes to the device configuration without user interaction.

References

	URL	Tags
	disclosure@vulncheck.com	https://avtech.com/
	disclosure@vulncheck.com	https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns
	disclosure@vulncheck.com	https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH
	disclosure@vulncheck.com	https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities
	disclosure@vulncheck.com	https://www.exploit-db.com/exploits/40500

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A\u00a0cross-site request forgery (CSRF) vulnerability exists in the web interface of AVTECH IP camera, DVR, and NVR devices. An attacker can craft malicious requests that, when executed in the context of an authenticated user\u2019s browser session, allow unauthorized changes to the device configuration without user interaction."
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad de cross-site request forgery (CSRF) en la interfaz web de AVTECH IP camera, DVR, y NVR. Un atacante puede manipular solicitudes maliciosas que, al ejecutarse en el contexto de la sesi\u00f3n del navegador de un usuario autenticado, permiten cambios no autorizados en la configuraci\u00f3n del dispositivo sin la interacci\u00f3n del usuario."
    }
  ],
  "id": "CVE-2025-34050",
  "lastModified": "2025-07-03T15:14:12.767",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.1,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "ACTIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "disclosure@vulncheck.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-07-01T15:15:22.933",
  "references": [
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://avtech.com/"
    },
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns"
    },
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH"
    },
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities"
    },
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://www.exploit-db.com/exploits/40500"
    }
  ],
  "sourceIdentifier": "disclosure@vulncheck.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "disclosure@vulncheck.com",
      "type": "Secondary"
    }
  ]
}

CVE-2025-34050 (GCVE-0-2025-34050)

Vulnerability from cvelistv5 – Published: 2025-07-01 14:42 – Updated: 2025-07-01 18:45

Title

AVTECH IP Camera, DVR, and NVR Devices Cross-Site Request Forgery

Summary

Severity ?

5.1 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

CWE

CWE-352 - Cross-Site Request Forgery (CSRF)

Assigner

VulnCheck

References

URL

Tags

	https://www.exploit-db.com/exploits/40500	exploit
	https://avtech.com/	product
	https://web.archive.org/web/20240810225729/https:…	third-party-advisorytechnical-description
	https://web.archive.org/web/20161029201749/https:…	exploit
	https://vulncheck.com/advisories/avtech-ipcamera-…	third-party-advisory

Impacted products

Vendor

Product

Version

AVTECH

IP cameras

Affected: 0

	AVTECH	DVR devices	Affected: 0
	AVTECH	NVR devices	Affected: 0

Credits

Gergely Eberhardt (SEARCH-LAB.hu)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-34050",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-01T18:44:55.395830Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-01T18:45:06.703Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "Web Management Interface (configuration endpoints)"
          ],
          "product": "IP cameras",
          "vendor": "AVTECH",
          "versions": [
            {
              "status": "affected",
              "version": "0"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "modules": [
            "Web Management Interface (configuration endpoints)"
          ],
          "product": "DVR devices",
          "vendor": "AVTECH",
          "versions": [
            {
              "status": "affected",
              "version": "0"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "modules": [
            "Web Management Interface (configuration endpoints)"
          ],
          "product": "NVR devices",
          "vendor": "AVTECH",
          "versions": [
            {
              "status": "affected",
              "version": "0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Gergely Eberhardt (SEARCH-LAB.hu)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A\u0026nbsp;cross-site request forgery (CSRF) vulnerability exists in the web interface of AVTECH IP camera, DVR, and NVR devices. An attacker can craft malicious requests that, when executed in the context of an authenticated user\u2019s browser session, allow unauthorized changes to the device configuration without user interaction."
            }
          ],
          "value": "A\u00a0cross-site request forgery (CSRF) vulnerability exists in the web interface of AVTECH IP camera, DVR, and NVR devices. An attacker can craft malicious requests that, when executed in the context of an authenticated user\u2019s browser session, allow unauthorized changes to the device configuration without user interaction."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-62",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-62 Cross Site Request Forgery"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-01T14:42:57.143Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "tags": [
            "exploit"
          ],
          "url": "https://www.exploit-db.com/exploits/40500"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://avtech.com/"
        },
        {
          "tags": [
            "third-party-advisory",
            "technical-description"
          ],
          "url": "https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "AVTECH IP Camera, DVR, and NVR Devices Cross-Site Request Forgery",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2025-34050",
    "datePublished": "2025-07-01T14:42:57.143Z",
    "dateReserved": "2025-04-15T19:15:22.548Z",
    "dateUpdated": "2025-07-01T18:45:06.703Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

FKIE_CVE-2025-34050

CVE-2025-34050 (GCVE-0-2025-34050)

Tags

Sightings

Nomenclature