Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In Sofia on Xiongmai DVR/NVR (AHB7008T-MH-V2 and NBD7024H-P) 4.03.R11 devices, root OS command injection can occur via shell metacharacters in the HostName value via an authenticated DVRIP protocol (TCP port 34567) request to the NetWork.NetCommon configuration handler, because system() is used.
AnalysisAI
Remote code execution with root privileges affects Xiongmai DVR/NVR devices (models AHB7008T-MH-V2 and NBD7024H-P running firmware 4.03.R11) via authenticated OS command injection through the proprietary DVRIP protocol on TCP port 34567. Low-privileged authenticated attackers can inject shell metacharacters into the HostName parameter of NetWork.NetCommon configuration requests, achieving full system compromise due to unsafe system() function usage. CVSS 8.8 (High) with network attack vector and low complexity; no public exploit identified at time of analysis.
Technical ContextAI
This vulnerability exploits the DVRIP (Digital Video Recorder over IP) protocol, a proprietary management interface used by Xiongmai devices running on TCP port 34567. The affected NetWork.NetCommon configuration handler uses the insecure system() function to process the HostName parameter without proper input sanitization. This represents a classic CWE-78 OS Command Injection flaw where user-controlled input is passed directly to shell execution functions. Shell metacharacters (such as semicolons, pipes, backticks, or command substitution operators) allow authenticated users to break out of the intended command context and execute arbitrary system commands with root privileges. The vulnerability exists in the Sofia firmware branch, specifically version 4.03.R11, affecting both DVR (Digital Video Recorder) and NVR (Network Video Recorder) product lines from Xiongmai Technology.
RemediationAI
Contact Xiongmai Technology directly for firmware updates addressing CVE-2026-34005, as no vendor-released patch version has been independently confirmed at time of analysis. Monitor the vendor website at https://www.xiongmaitech.com and the technical disclosure at https://uky007.github.io/CVE-2026-34005/ for patch availability and remediation guidance. As immediate mitigation, restrict network access to TCP port 34567 (DVRIP protocol) using firewall rules to prevent unauthorized network access, ideally limiting connections to trusted management networks only. Change all default credentials immediately and implement strong authentication policies. Consider network segmentation to isolate surveillance infrastructure from general corporate networks. Disable remote management features if not operationally required. Regular security audits should verify that DVRIP ports are not exposed to the public internet through port scanning and asset inventory validation.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17041
GHSA-2969-xpvc-282x