Skip to main content

Aver PTC320UV2 EUVDEUVD-2026-26701

| CVE-2026-26461 MEDIUM
Command Injection (CWE-77)
2026-05-01 cve@mitre.org
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 01, 2026 - 20:31 vuln.today
CVSS changed
May 01, 2026 - 19:22 NVD
6.5 (None) 6.5 (MEDIUM)
EUVD ID Assigned
May 01, 2026 - 18:22 euvd
EUVD-2026-26701
Analysis Generated
May 01, 2026 - 18:22 vuln.today
CVE Published
May 01, 2026 - 18:16 nvd
MEDIUM 6.5

DescriptionCVE.org

A Command Injection vulnerability in the web management interface in Aver PTC320UV2 0.1.0000.65 allows an unauthenticated attacker to execute arbitrary commands via a crafted web request.

AnalysisAI

Command injection in the Aver PTC320UV2 web management interface allows unauthenticated remote attackers to execute arbitrary system commands via crafted web requests. Version 0.1.0000.65 and potentially earlier versions are affected. The vulnerability has a CVSS score of 6.5 (medium severity) with network attack vector and no authentication required, though scope is unchanged and confidentiality/integrity impact is limited. CISA SSVC assessment indicates automation is possible but current exploitation is unconfirmed.

Technical ContextAI

The Aver PTC320UV2 is a professional pan-tilt-zoom camera with integrated web-based management interface. The vulnerability stems from improper input validation in the web management interface (CWE-77: Improper Neutralization of Special Elements used in a Command), allowing attackers to inject arbitrary shell commands that are executed with the privileges of the web service process. This is a classic OS command injection flaw where user-supplied input from a web request is passed to system command execution functions without adequate sanitization or parameterization.

RemediationAI

Upgrade to a patched firmware version released by Aver. Specific patch version numbers are not provided in available references; contact Aver support or visit https://www.aver.com/Downloads/search?q=PTC320UV2 to obtain the latest firmware. As an interim compensating control, restrict network access to the PTC320UV2 web management interface to trusted administrator IP ranges only using firewall rules or network segmentation - block all non-administrative access on the management interface ports (typically TCP 80/443 or device-specific management ports). Disable remote management access if the device will only be managed locally. Disable HTTP if HTTPS is available and use HTTPS exclusively. Note that these controls reduce but do not eliminate risk - patching remains the primary remediation.

Share

EUVD-2026-26701 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy