Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2025-34433Code Injection in Wide Broadcast Network Avideo

CWE-94Code Injection3 documents3 sources
Severity
9.3CRITICALNVD
EPSS
51.7%
top 2.09%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
World Wide Broadcast Network Avideo
Timeline
PublishedDec 19

Description

AVideo versions 14.3.1 prior to 20.1 contain an unauthenticated remote code execution vulnerability caused by predictable generation of an installation salt using PHP uniqid(). The installation timestamp is exposed via a public endpoint, and a derived hash identifier is accessible through unauthenticated API responses, allowing attackers to brute-force the remaining entropy. The recovered salt can then be used to encrypt a malicious payload supplied to a notification API endpoint that evaluates

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages1 packages

CVEListV5world_wide_broadcast_network/avideo14.3.120.1

🔴Vulnerability Details

1
GHSA
GHSA-hv75-87h9-4p5h: AVideo versions 142025-12-19

💥Exploits & PoCs

1
Metasploit
AVideo notify.ffmpeg.json.php Unauthenticated RCE via Salt Discovery