cbcvebase.
CVE-2013-4982
published 2019-12-27

CVE-2013-4982: AVTECH AVN801 DVR has a security bypass via the administration login captcha

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
13.12%
95.9th percentile
AVTECH AVN801 DVR has a security bypass via the administration login captcha

Affected

1 ranges
VendorProductVersion rangeFixed in
avtechavn801_dvr_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/nobody/VerifyCode.cgi?account=YWRtaW46YWRtaW4=&captcha_code=FMUA&verify_code=FMUYyLOivRpgc
url/cgi-bin/nobody/VerifyCode.cgi?account=YWRtaW46YWRtaW4=&captcha_code=FMUF&verify_code=FMUYyLOivRpgc
url/cgi-bin/nobody/VerifyCode.cgi?account={{base64(username + ':' + password)}}&login=quick
path/cgi-bin/nobody/VerifyCode.cgi
path/cgi-bin/user/Config.cgi
port554
commandlogin=quick
  • CVE-2013-4982 captcha bypass: send GET request to /cgi-bin/nobody/VerifyCode.cgi with the 'login=quick' parameter to bypass verification code entirely without a valid captcha.
  • CVE-2013-4982 captcha replay: attacker replays a hardcoded captcha_code and verify_code pair against /cgi-bin/nobody/VerifyCode.cgi with a base64-encoded account credential; a successful bypass returns HTTP 200 with a 5-byte body starting with '0' followed by 'OK'.
  • Monitor HTTP responses to /cgi-bin/nobody/VerifyCode.cgi for a 200 status with body length of exactly 5 bytes matching regex '^0.*\nOK.*' as an indicator of successful captcha bypass.
  • Shodan/FOFA fingerprinting: exposed AVTECH DVR login pages can be identified via Shodan query 'title:"login" product:"Avtech"' or FOFA query 'app="AVTECH-视频监控"'.
  • CVE-2013-4980 (related): detect RTSP SETUP requests on port 554 with anomalously long URI strings (cyclic pattern or large padding) as indicators of buffer overflow exploitation attempts against the RTSP packet handler.
  • CVE-2013-4981 (related): detect unauthenticated HTTP POST requests to /cgi-bin/user/Config.cgi with an excessively long 'Network.SMTP.Receivers' parameter value as an indicator of buffer overflow exploitation.
  • ·The hardcoded base64 account credential 'YWRtaW46YWRtaW4=' decodes to 'admin:admin', indicating the PoC targets default credentials; real-world attacks may use other credentials.
  • ·Affected firmware version is 1017-1003-1009-1003 on DVR 4CH H.264 (AVTECH AVN801); older versions are likely affected but were not confirmed.
  • ·The Nuclei template uses a pitchfork attack with hardcoded credentials (admin:linux321); detection logic depends on a 5-byte response body matching '^0.*\nOK.*', which may vary across firmware versions.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.