critical advisory March 29, 2026

Xiongmai DVR/NVR Root OS Command Injection Vulnerability (CVE-2026-34005)

Xiongmai DVR/NVR devices are vulnerable to root OS command injection (CVE-2026-34005) due to shell metacharacters in the HostName value, exploitable via an authenticated DVRIP request, potentially allowing arbitrary command execution with root privileges.

Xiongmai DVR/NVR devices, specifically models AHB7008T-MH-V2 and NBD7024H-P running firmware version 4.03.R11, are susceptible to root OS command injection (CVE-2026-34005). This vulnerability arises from the inadequate sanitization of the HostName value within the NetWork.NetCommon configuration handler. An authenticated attacker can inject shell metacharacters into the HostName parameter through a DVRIP protocol request via TCP port 34567. Due to the use of the system() function, these…

Detection coverage 2

Detect DVRIP NetWork.NetCommon HostName Manipulation

high

Detects network connections to port 34567, potentially indicating attempts to exploit CVE-2026-34005 by manipulating the HostName value in the NetWork.NetCommon configuration handler.

sigma tactics: execution techniques: T1550.002 sources: network_connection, windows

Detect DVRIP Traffic on Non-Standard Ports

medium

Detects DVRIP protocol (typically TCP port 34567) being used on non-standard ports, which could indicate malicious activity or port redirection.

sigma tactics: command_and_control techniques: T1071.001 sources: network_connection, windows

Detection queries are kept inside the platform. Get full rules →