CVE-2025-34043

June 26, 2025, 6:57 p.m.

10.0
Critical

Description

A remote command injection vulnerability exists in Vacron Network Video Recorder (NVR) devices v1.4 due to improper input sanitization in the board.cgi script. The vulnerability allows unauthenticated attackers to pass arbitrary commands to the underlying operating system via crafted HTTP requests. These commands are executed with the privileges of the web server process, enabling remote code execution and potential full device compromise.

Product(s) Impacted

Vendor Product Versions
Vacron
  • Network Video Recorder
  • 1.4

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-20
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a vacron network_video_recorder 1.4 / / / / / / /

References

https://ssd-disclosure.com/ssd-advisory-vacron-nvr-remote-command-execution/
https://vulncheck.com/advisories/vacron-nvr-remote-command-execution
https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=30386
https://www.sonicwall.com/blog/vacron-network-video-recorder-remote-command-execution
https://www.tenable.com/plugins/nessus/104124
https://www.vacron.com/

Tags

CWE-20
disclosure@vulncheck.com
2025-06-26
CVE-2025-34043

CVSS Score

10.0 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: June 26, 2025, 4:15 p.m.
Last Modified: June 26, 2025, 6:57 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

disclosure@vulncheck.com

Linked Attack Reports

Tracking RondoDox: Malware Exploiting Many IoT Vulnerabilities

A new threat actor is distributing the RondoDox malware, a variant of Mirai, targeting IoT devices. The actor uses residential IP addresses for distribution and employs over a dozen exploits to target various IoT vulnerabilities. The malware's first stage is a shell script that attempts to disable …
command injection
iot
botnet
mirai
multi-platform
CVE-2024-10914
CVE-2023-1389
CVE-2025-4008
CVE-2024-3721
CVE-2025-34043
rondodox
CVE-2025-9528
CVE-2013-1599
CVE-2022-36553
CVE-2020-10987
2025-11-26
shell script
residential infrastructure
mirai variant
CVE-2020-9054
CVE-2023-23333
CVE-2014-3206
CVE-2023-41011
CVE-2022-40619
Published: November 26, 2025
Linked vulnerabilities : CVE-2024-4577 (CVSS 9.8), CVE-2024-10914 (CVSS 8.1), CVE-2022-42475, CVE-2017-9841, CVE-2023-23333, CVE-2019-9082, CVE-2023-1389, CVE-2025-31324 (CVSS 10.0), CVE-2025-4008 (CVSS 9.4), CVE-2024-3721, CVE-2025-34043 (CVSS 10.0), CVE-2025-9528 (CVSS 5.1), CVE-2013-1599, CVE-2022-36553, CVE-2020-10987, CVE-2023-41011, CVE-2022-40619, CVE-2022-24847, CVE-2020-8958, CVE-2014-3206, CVE-2023-1381, CVE-2022-22947, CVE-2020-9054
Downloadable IOCs: 26

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.