Skip to main content

CVE-2026-34005

| EUVDEUVD-2026-17041 HIGH
OS Command Injection (CWE-78)
2026-03-29 cve@mitre.org GHSA-2969-xpvc-282x
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 27, 2026 - 19:22 vuln.today
cvss_changed
EUVD ID Assigned
Mar 29, 2026 - 17:22 euvd
EUVD-2026-17041
Analysis Generated
Mar 29, 2026 - 17:22 vuln.today
CVE Published
Mar 29, 2026 - 17:16 nvd
HIGH 8.8

DescriptionCVE.org

In Sofia on Xiongmai DVR/NVR (AHB7008T-MH-V2 and NBD7024H-P) 4.03.R11 devices, root OS command injection can occur via shell metacharacters in the HostName value via an authenticated DVRIP protocol (TCP port 34567) request to the NetWork.NetCommon configuration handler, because system() is used.

AnalysisAI

Remote code execution with root privileges affects Xiongmai DVR/NVR devices (models AHB7008T-MH-V2 and NBD7024H-P running firmware 4.03.R11) via authenticated OS command injection through the proprietary DVRIP protocol on TCP port 34567. Low-privileged authenticated attackers can inject shell metacharacters into the HostName parameter of NetWork.NetCommon configuration requests, achieving full system compromise due to unsafe system() function usage. CVSS 8.8 (High) with network attack vector and low complexity; no public exploit identified at time of analysis.

Technical ContextAI

This vulnerability exploits the DVRIP (Digital Video Recorder over IP) protocol, a proprietary management interface used by Xiongmai devices running on TCP port 34567. The affected NetWork.NetCommon configuration handler uses the insecure system() function to process the HostName parameter without proper input sanitization. This represents a classic CWE-78 OS Command Injection flaw where user-controlled input is passed directly to shell execution functions. Shell metacharacters (such as semicolons, pipes, backticks, or command substitution operators) allow authenticated users to break out of the intended command context and execute arbitrary system commands with root privileges. The vulnerability exists in the Sofia firmware branch, specifically version 4.03.R11, affecting both DVR (Digital Video Recorder) and NVR (Network Video Recorder) product lines from Xiongmai Technology.

RemediationAI

Contact Xiongmai Technology directly for firmware updates addressing CVE-2026-34005, as no vendor-released patch version has been independently confirmed at time of analysis. Monitor the vendor website at https://www.xiongmaitech.com and the technical disclosure at https://uky007.github.io/CVE-2026-34005/ for patch availability and remediation guidance. As immediate mitigation, restrict network access to TCP port 34567 (DVRIP protocol) using firewall rules to prevent unauthorized network access, ideally limiting connections to trusted management networks only. Change all default credentials immediately and implement strong authentication policies. Consider network segmentation to isolate surveillance infrastructure from general corporate networks. Disable remote management features if not operationally required. Regular security audits should verify that DVRIP ports are not exposed to the public internet through port scanning and asset inventory validation.

Share

CVE-2026-34005 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy