CVE-2025-50944

An issue was discovered in the method push.lite.avtech.com.MySSLSocketFactoryNew.checkServerTrusted in AVTECH EagleEyes 2.0.0. The custom X509TrustManager used in checkServerTrusted only checks the certificate's expiration date, skipping proper TLS chain validation...

CVE-2025-46408

An issue was discovered in the methods push.lite.avtech.com.AvtechLib.GetHttpsResponse and push.lite.avtech.com.PushHttpService.getNewHttpClient in AVTECH EagleEyes 2.0.0. The methods set ALLOWALLHOSTNAMEVERIFIER, bypassing domain validation...

AVTECH EagleEyes Lite 安全漏洞

AVTECH EagleEyes Lite is a remote instant monitoring mobile application from AVTECH, a Taiwan, China-based company. A security vulnerability exists in AVTECH EagleEyes Lite version 2.0.0, which originates from the GetHttpsResponse method transmitting sensitive information with explicit query...

AVTECH EagleEyes 安全漏洞

AVTECH EagleEyes is a remote instant monitoring mobile application from AVTECH, a Taiwan, China-based company. A security vulnerability exists in AVTECH EagleEyes version 2.0.0, which originates from a custom X509TrustManager that only checks the certificate expiration date and skips TLS chain...

PT-2025-37566

Name of the Vulnerable Software and Affected Versions: AVTECH EagleEyes version 2.0.0 Description: The custom X509TrustManager used in the checkServerTrusted function only checks the certificate's expiration date, bypassing proper TLS chain validation. Recommendations: At the moment, there is no...

CVE-2025-50944

CVE-2025-50944 affects AVTECH EagleEyes 2.0.0. The vulnerability is in push.lite.avtech.com.MySSLSocketFactoryNew.checkServerTrusted where a custom X509TrustManager only checks certificate expiration date and does not perform proper TLS chain validation, enabling potential MITM or improper trust ...

The vulnerability of the web interface of IP camera software and digital/netscreen video recorders from Avtech allows a intruder to perform a CSRF attack.

The vulnerability of the web interface of IP camera software and digital/netscreen recorders from Avtech relates to the manipulation of cross-site requests. Exploiting this vulnerability allows a remote attacker to execute a CSRF attack...

CVE-2025-34051

A server-side request forgery vulnerability exists in multiple firmware versions of AVTECH DVR devices that exposes the /cgi-bin/nobody/Search.cgi?action=cgiquery endpoint without authentication. An attacker can manipulate the ip, port, and queryb64str parameters to make arbitrary HTTP requests...

CVE-2025-34054

An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgiquery. The use of wget without input sanitization allows attackers to inject shell commands through the username or queryb64str parameters, executing commands as root. Exploitation evidence wa...

CVE-2025-34050

A cross-site request forgery CSRF vulnerability exists in the web interface of AVTECH IP camera, DVR, and NVR devices. An attacker can craft malicious requests that, when executed in the context of an authenticated user’s browser session, allow unauthorized changes to the device configuration...

CVE-2025-34056

An OS command injection vulnerability exists in AVTECH IP camera, DVR, and NVR devices via the PwdGrp.cgi endpoint, which handles user and group management operations. Authenticated users can supply input through the pwd or grp parameters, which are directly embedded into system commands without...

CVE-2025-34065

An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices’ streamd web server. The strstr function allows unauthenticated access to any request containing "/nobody" in the URL, bypassing login controls...

CVE-2025-34052

An unauthenticated information disclosure vulnerability exists in AVTECH IP cameras, DVRs, and NVRs via Machine.cgi?action=getcapability. Sensitive internal device information such as firmware version, MAC address, and codec support can be accessed without authentication...

CVE-2025-34053

An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices’ streamd web server. The strstr function is used to identify ".cab" requests, allowing any URL containing ".cab" to bypass authentication and access protected endpoints...

CVE-2025-34055

An OS command injection vulnerability exists in AVTECH DVR, NVR, and IP camera devices within the adcommand.cgi endpoint, which interfaces with the ActionD daemon. Authenticated users can invoke the DoShellCmd operation, passing arbitrary input via the strCmd parameter. This input is executed...

CVE-2025-34066

An improper certificate validation vulnerability exists in AVTECH IP cameras, DVRs, and NVRs due to the use of wget with --no-check-certificate in scripts like SyncCloudAccount.sh and SyncPermit.sh. This exposes HTTPS communications to man-in-the-middle MITM attacks...

CVE-2025-34066

An improper certificate validation vulnerability exists in AVTECH IP cameras, DVRs, and NVRs due to the use of wget with --no-check-certificate in scripts like SyncCloudAccount.sh and SyncPermit.sh. This exposes HTTPS communications to man-in-the-middle MITM attacks...

CVE-2025-34065

An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices’ streamd web server. The strstr function allows unauthenticated access to any request containing "/nobody" in the URL, bypassing login controls...

CVE-2025-34066

An improper certificate validation vulnerability exists in AVTECH IP cameras, DVRs, and NVRs due to the use of wget with --no-check-certificate in scripts like SyncCloudAccount.sh and SyncPermit.sh. This exposes HTTPS communications to man-in-the-middle MITM attacks...

CVE-2025-34056

An OS command injection vulnerability exists in AVTECH IP camera, DVR, and NVR devices via the PwdGrp.cgi endpoint, which handles user and group management operations. Authenticated users can supply input through the pwd or grp parameters, which are directly embedded into system commands without...