CVE-2025-34053

An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices’ streamd web server. The strstr() function is used to identify .cab requests, allowing any URL containing .cab to bypass authentication and access protected endpoints.

Weakness

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/21.html
• https://cwe.mitre.org/data/definitions/22.html
• https://cwe.mitre.org/data/definitions/459.html
• https://cwe.mitre.org/data/definitions/461.html
• https://cwe.mitre.org/data/definitions/473.html
• https://cwe.mitre.org/data/definitions/476.html
• https://cwe.mitre.org/data/definitions/59.html
• https://cwe.mitre.org/data/definitions/60.html
• https://cwe.mitre.org/data/definitions/667.html
• https://cwe.mitre.org/data/definitions/94.html

References

• https://avtech.com/
• https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns
• https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH
• https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities
• https://www.exploit-db.com/exploits/40500