CRITICAL🇵🇱 Wersja polska

CVE-2025-46408

CVSS 9.8v3.1pub. 2025-09-15upd. 2025-10-17

An issue was discovered in the methods push.lite.avtech.com.AvtechLib.GetHttpsResponse and push.lite.avtech.com.Push_HttpService.getNewHttpClient in AVTECH EagleEyes 2.0.0. The methods set ALLOW_ALL_HOSTNAME_VERIFIER, bypassing domain validation.

🤖 AI Analysis
How it works

In the methods push.lite.avtech.com.AvtechLib.GetHttpsResponse and push.lite.avtech.com.Push_HttpService.getNewHttpClient, the application sets the ALLOW_ALL_HOSTNAME_VERIFIER flag, which completely disables domain verification when establishing HTTPS connections. This means the application will accept any TLS certificate regardless of whether the hostname on the certificate matches the actual server. An attacker on the same network (e.g., public Wi-Fi) can substitute their own TLS server and intercept communication between the application and the target push server without detection by the user.

Impact

An attacker can conduct a Man-in-the-Middle attack, gaining access to sensitive data transmitted by the application (e.g., authentication credentials, camera images) and potentially modifying communication, which threatens data confidentiality and integrity.

Mitigation & patch

Apply patches available from the manufacturer according to references. Until update, it is recommended to avoid using the application on untrusted networks (public Wi-Fi, networks of unknown operators).

Who is affected

AVTECH EagleEyes (Lite) version 2.0.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Avtech Eagleeyes\(lite\)

    APP
    Avtech
    2.0.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-50944HIGH8.8ten sam produkt

An issue was discovered in the method push.lite.avtech.com.MySSLSocketFactoryNew.checkServerTrusted in AVTECH ...

CVE-2013-4982CRITICAL9.8ten sam vendor

AVTECH AVN801 DVR has a security bypass via the administration login captcha

CVE-2025-57199HIGH8.8ten sam vendor

AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated com...

CVE-2025-57198HIGH8.8ten sam vendor

AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated com...

CVE-2025-57201HIGH8.8ten sam vendor

AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated com...