CVE-2025-34065

An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices’ streamd web server. The strstr() function allows unauthenticated access to any request containing /nobody in the URL, bypassing login controls.

Weakness

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/21.html
• https://cwe.mitre.org/data/definitions/22.html
• https://cwe.mitre.org/data/definitions/459.html
• https://cwe.mitre.org/data/definitions/461.html
• https://cwe.mitre.org/data/definitions/473.html
• https://cwe.mitre.org/data/definitions/476.html
• https://cwe.mitre.org/data/definitions/59.html
• https://cwe.mitre.org/data/definitions/60.html
• https://cwe.mitre.org/data/definitions/667.html
• https://cwe.mitre.org/data/definitions/94.html

References

• https://avtech.com/
• https://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns
• https://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH
• https://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities
• https://www.exploit-db.com/exploits/40500