CVE-2026-34005

CVE-2026-34005 is a root OS command injection vulnerability (CWE-78) affecting Sofia firmware version 4.03.R11 on Xiongmai DVR/NVR devices, specifically models AHB7008T-MH-V2 and NBD7024H-P. The flaw arises in the NetWork.NetCommon configuration handler, which processes HostName values over the authenticated DVRIP protocol on TCP port 34567 and uses the system() function without proper sanitization, enabling injection of shell metacharacters. Published on 2026-03-29, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting network accessibility, low attack complexity, and high potential impacts on confidentiality, integrity, and availability.

An attacker with low-privilege authenticated access can exploit the vulnerability remotely by crafting a DVRIP request containing shell metacharacters in the HostName field, leading to arbitrary root-level OS command execution. Successful exploitation grants full control over the device, potentially allowing persistence, data exfiltration, lateral movement in networks with exposed DVR/NVR systems, or use as a pivot for further attacks.

Advisories and mitigation details are available in the referenced sources, including the detailed analysis at https://uky007.github.io/CVE-2026-34005/ and the vendor site at https://www.xiongmaitech.com.