https://feed.craftedsignal.io/tags/xiongmai/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSun, 29 Mar 2026 17:16:44 +0000https://feed.craftedsignal.io/briefs/2026-03-xiongmai-command-injection/Sun, 29 Mar 2026 17:16:44 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-xiongmai-command-injection/Xiongmai DVR/NVR devices are vulnerable to root OS command injection (CVE-2026-34005) due to shell metacharacters in the HostName value, exploitable via an authenticated DVRIP request, potentially allowing arbitrary command execution with root privileges.<p>Xiongmai DVR/NVR devices, specifically models AHB7008T-MH-V2 and NBD7024H-P running firmware version 4.03.R11, are susceptible to root OS command injection (CVE-2026-34005). This vulnerability arises from the inadequate sanitization of the HostName value within the NetWork.NetCommon configuration handler. An authenticated attacker can inject shell metacharacters into the HostName parameter through a DVRIP protocol request via TCP port 34567. Due to the use of the <code>system()</code> function, these…</p> criticaladvisoryCVE-2026-34005command-injectionxiongmaidvrnvr