CVE-2026-34005
Published: 29 March 2026
Summary
CVE-2026-34005 is a high-severity OS Command Injection (CWE-78) vulnerability in Github (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 26.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents command injection by requiring validation and sanitization of untrusted HostName inputs to block shell metacharacters before execution via system().
Addresses the vulnerability through timely flaw remediation via firmware patches that fix the unsanitized system() call in the NetWork.NetCommon handler.
Mitigates exposure by restricting least functionality to disable unnecessary DVRIP protocol handlers or ports like TCP 34567 on embedded devices.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote exploitation of a network service (DVRIP on TCP/34567) for root OS command injection from low-privilege access, directly facilitating T1210 (Exploitation of Remote Services), T1068 (Exploitation for Privilege Escalation), and T1059.004 (Unix Shell).
NVD Description
In Sofia on Xiongmai DVR/NVR (AHB7008T-MH-V2 and NBD7024H-P) 4.03.R11 devices, root OS command injection can occur via shell metacharacters in the HostName value via an authenticated DVRIP protocol (TCP port 34567) request to the NetWork.NetCommon configuration handler, because system() is…
more
used.
Deeper analysisAI
CVE-2026-34005 is a root OS command injection vulnerability (CWE-78) affecting Sofia firmware version 4.03.R11 on Xiongmai DVR/NVR devices, specifically models AHB7008T-MH-V2 and NBD7024H-P. The flaw arises in the NetWork.NetCommon configuration handler, which processes HostName values over the authenticated DVRIP protocol on TCP port 34567 and uses the system() function without proper sanitization, enabling injection of shell metacharacters. Published on 2026-03-29, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting network accessibility, low attack complexity, and high potential impacts on confidentiality, integrity, and availability.
An attacker with low-privilege authenticated access can exploit the vulnerability remotely by crafting a DVRIP request containing shell metacharacters in the HostName field, leading to arbitrary root-level OS command execution. Successful exploitation grants full control over the device, potentially allowing persistence, data exfiltration, lateral movement in networks with exposed DVR/NVR systems, or use as a pivot for further attacks.
Advisories and mitigation details are available in the referenced sources, including the detailed analysis at https://uky007.github.io/CVE-2026-34005/ and the vendor site at https://www.xiongmaitech.com.
Details
- CWE(s)