cbcvebase.
CVE-2025-34433
published 2025-12-19

CVE-2025-34433: AVideo versions 14.3.1 prior to 20.1 contain an unauthenticated remote code execution vulnerability caused by predictable generation of an installation salt…

PriorityP275critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.46%
70.2th percentile
AVideo versions 14.3.1 prior to 20.1 contain an unauthenticated remote code execution vulnerability caused by predictable generation of an installation salt using PHP uniqid(). The installation timestamp is exposed via a public endpoint, and a derived hash identifier is accessible through unauthenticated API responses, allowing attackers to brute-force the remaining entropy. The recovered salt can then be used to encrypt a malicious payload supplied to a notification API endpoint that evaluates attacker-controlled input, resulting in arbitrary code execution as the web server user.

Affected

1 ranges
VendorProductVersion rangeFixed in
world_wide_broadcast_networkavideo>= 14.3.1 < 20.120.1

Detection & IOCsextracted from sources · hover to see the quote

path/objects/categories.json.php
path/objects/videosAndroid.json.php
path/plugin/API/get.json.php
path/objects/getTimes.json.php
path/notify.ffmpeg.json.php
commandeval($callback)
  • Monitor for unauthenticated HTTP requests to /objects/categories.json.php, /objects/videosAndroid.json.php, /plugin/API/get.json.php, and /objects/getTimes.json.php in rapid succession — this sequence is characteristic of the salt-discovery reconnaissance phase of the exploit chain.
  • Alert on any POST/GET requests to notify.ffmpeg.json.php containing a 'callback' parameter from unauthenticated sources — this is the RCE delivery endpoint.
  • Detect offline brute-force attempts: the attacker must iterate up to 1,048,576 microsecond values (0x00000–0xFFFFF) to recover the salt; high-volume requests to hashId-exposing endpoints from a single source IP may indicate active brute-force.
  • Flag AVideo instances running versions 14.3.1 through 20.0 as vulnerable; the legacy salt fallback and eval($callback) were NOT removed in v20.0.
  • Inspect posterPortraitPath field in video API responses for system root path disclosure, which is used by attackers to reconstruct the salt brute-force target.
  • ·The RCE is only exploitable because of a fallback mechanism in encrypt_decrypt() that retries decryption with the weak uniqid()-derived salt when the secure saltV2 fails. Removing or disabling this fallback would break the exploit chain.
  • ·The vulnerability was introduced on January 7, 2025 (eval payload) and the fallback mechanism on January 15, 2024; versions prior to 14.3.1 are not affected.
  • ·In AVideo v20.0 the posterPortraitPath leak was patched, but the exploit remains viable using SYSTEM_ROOT as an alternative path source; v20.0 is still vulnerable.
  • ·The salt brute-force is performed offline using the leaked hashId for comparison, meaning the attacker does not need to send high volumes of requests to the target server during the brute-force phase.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.