cbcvebase.
CVE-2016-15044
published 2025-07-23

CVE-2016-15044: A remote code execution vulnerability exists in Kaltura versions prior to 11.1.0-2 due to unsafe deserialization of user-controlled data within the…

PriorityP271critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.41%
69.3th percentile
A remote code execution vulnerability exists in Kaltura versions prior to 11.1.0-2 due to unsafe deserialization of user-controlled data within the keditorservices module. An unauthenticated remote attacker can exploit this issue by sending a specially crafted serialized PHP object in the kdata GET parameter to the redirectWidgetCmd endpoint. Successful exploitation leads to execution of arbitrary PHP code in the context of the web server process.

Affected

1 ranges
VendorProductVersion rangeFixed in
kalturavideo_platform< 11.1.0-211.1.0-2

Detection & IOCsextracted from sources · hover to see the quote

url/keditorservices/redirectWidgetCmd
otherkdata (GET parameter)
  • Monitor HTTP requests to the keditorservices/redirectWidgetCmd endpoint for the presence of a serialized PHP object in the 'kdata' GET parameter (look for PHP serialization markers such as 'O:' or 'a:' prefixes in the parameter value).
  • Alert on unauthenticated requests to the redirectWidgetCmd endpoint carrying a kdata parameter, as exploitation requires no authentication.
  • Detect exploitation attempts leveraging the Zend_Log __destruct() POP chain; look for serialized PHP objects referencing Zend_Log class structures in HTTP request bodies or query strings targeting Kaltura.
  • Flag Kaltura installations running versions prior to 11.1.0-2 as vulnerable; prioritize patching or WAF coverage for the keditorservices module on those hosts.
  • ·The vulnerability is in the keditorservices module specifically; ensure this module is present and enabled before assuming exploitability — installations without this module may not be affected.
  • ·Exploitation results in code execution under the web server process context, not root; post-exploitation privilege escalation would be a separate step.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.