CVE-2025-34101

Sažetak

An unauthenticated command injection vulnerability exists in Serviio Media Server versions 1.4 through 1.8 on Windows, in the /rest/action API endpoint exposed by the console component (default port 23423). The checkStreamUrl method accepts a VIDEO parameter that is passed unsanitized to a call to cmd.exe, enabling arbitrary command execution under the privileges of the web server. No authentication is required to exploit this issue, as the REST API is exposed by default and lacks access controls.

Reference

https://fortiguard.fortinet.com/encyclopedia/ips/44042
https://packetstorm.news/files/id/142387
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/serviio_checkstreamurl_cmd_exec.rb
https://vulncheck.com/advisories/serviio-media-server-unauthenticated-command-injection
https://www.exploit-db.com/exploits/42023
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5408.php

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

10-07-2025 - 20:15

Objavljeno

10-07-2025 - 20:15