Cyber Resilience

CVE-2026-34005

HighRCE

Published: 29 March 2026

Published
29 March 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0154 71.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34005 is a high-severity OS Command Injection (CWE-78) vulnerability in Github (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 28.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34005 is a root OS command injection vulnerability (CWE-78) affecting Sofia firmware version 4.03.R11 on Xiongmai DVR/NVR devices, specifically models AHB7008T-MH-V2 and NBD7024H-P. The flaw arises in the NetWork.NetCommon configuration handler, which processes HostName values over the authenticated DVRIP protocol on TCP port 34567 and uses the system() function without proper sanitization, enabling injection of shell metacharacters. Published on 2026-03-29, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting network accessibility, low attack complexity, and high potential impacts on confidentiality, integrity, and availability.

An attacker with low-privilege authenticated access can exploit the vulnerability remotely by crafting a DVRIP request containing shell metacharacters in the HostName field, leading to arbitrary root-level OS command execution. Successful exploitation grants full control over the device, potentially allowing persistence, data exfiltration, lateral movement in networks with exposed DVR/NVR systems, or use as a pivot for further attacks.

Advisories and mitigation details are available in the referenced sources, including the detailed analysis at https://uky007.github.io/CVE-2026-34005/ and the vendor site at https://www.xiongmaitech.com.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In Sofia on Xiongmai DVR/NVR (AHB7008T-MH-V2 and NBD7024H-P) 4.03.R11 devices, root OS command injection can occur via shell metacharacters in the HostName value via an authenticated DVRIP protocol (TCP port 34567) request to the NetWork.NetCommon configuration handler, because system() is…

more

used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Vulnerability enables remote exploitation of a network service (DVRIP on TCP/34567) for root OS command injection from low-privilege access, directly facilitating T1210 (Exploitation of Remote Services), T1068 (Exploitation for Privilege Escalation), and T1059.004 (Unix Shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34792Shared CWE-78
CVE-2025-45378Shared CWE-78
CVE-2021-47745Shared CWE-78
CVE-2026-6644Shared CWE-78
CVE-2021-47747Shared CWE-78
CVE-2018-25143Shared CWE-78
CVE-2025-64120Shared CWE-78
CVE-2025-56113Shared CWE-78
CVE-2017-20215Shared CWE-78
CVE-2025-66212Shared CWE-78

Affected Assets

Github
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection by requiring validation and sanitization of untrusted HostName inputs to block shell metacharacters before execution via system().

prevent

Addresses the vulnerability through timely flaw remediation via firmware patches that fix the unsanitized system() call in the NetWork.NetCommon handler.

prevent

Mitigates exposure by restricting least functionality to disable unnecessary DVRIP protocol handlers or ports like TCP 34567 on embedded devices.

References