CVE-2025-34101
published 2025-07-10CVE-2025-34101: An unauthenticated command injection vulnerability exists in Serviio Media Server versions 1.4 through 1.8 on Windows, in the /rest/action API endpoint exposed…
PriorityP274critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
3.09%
86.1th percentile
An unauthenticated command injection vulnerability exists in Serviio Media Server versions 1.4 through 1.8 on Windows, in the /rest/action API endpoint exposed by the console component (default port 23423). The checkStreamUrl method accepts a VIDEO parameter that is passed unsanitized to a call to cmd.exe, enabling arbitrary command execution under the privileges of the web server. No authentication is required to exploit this issue, as the REST API is exposed by default and lacks access controls.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| serviio | media_server | 1.4 – 1.8 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated HTTP requests to the /rest/action endpoint on port 23423 containing a 'VIDEO' parameter in the 'checkStreamUrl' method, especially with shell metacharacters or command sequences indicative of injection. ↗
- →Alert on cmd.exe processes spawned as child processes of the Serviio console service (default port 23423), which may indicate successful exploitation of the checkStreamUrl command injection. ↗
- →Flag any inbound connections to TCP port 23423 from external/untrusted sources, as the REST API is exposed by default and lacks access controls, requiring no authentication to exploit. ↗
- ·The vulnerable REST API endpoint is exposed on port 23423 by default with no authentication; this is the default configuration for Serviio Media Server versions 1.4 through 1.8 on Windows. ↗
- ·Exploitation has been confirmed on Serviio Media Server versions 1.4.0, 1.5.0, 1.6.0, and 1.8.0 on Windows 7; detections should cover this full version range. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://fortiguard.fortinet.com/encyclopedia/ips/44042https://packetstorm.news/files/id/142387https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/serviio_checkstreamurl_cmd_exec.rbhttps://vulncheck.com/advisories/serviio-media-server-unauthenticated-command-injectionhttps://www.exploit-db.com/exploits/42023https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5408.php
2025-07-10
Published