Primary

Context

Aver PTC320UV2 Command Injection Vulnerability in Web Management Interface

Vulnerability

A command injection vulnerability has been identified in the web management interface of the Aver PTC320UV2 camera, specifically in firmware version 0.1.0000.65. This vulnerability allows an unauthenticated attacker to execute arbitrary commands by sending a crafted web request. The issue arises because the 'Get' parameter is directly passed to a shell command without proper sanitization, enabling command injection through the manipulation of the parameter's value.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the device.

Reproduction

To reproduce this vulnerability, send a web request to the '/action?Get=acc path' endpoint, injecting a shell control character, such as a semicolon, into the 'Get' parameter. This will trigger the execution of arbitrary shell commands on the device.

Added: May 1, 2026, 6:21 PM

Updated: May 1, 2026, 6:21 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.7

remediation

0.0

relevance

7.1

threat

1.8

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.7

remediation

0.0

relevance

7.1

threat

1.8

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Aver PTC320UV2 Command Injection Vulnerability in Web Management Interface

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating