CVE-2025-34441
published 2025-12-17CVE-2025-34441: AVideo versions prior to 20.1 expose sensitive user information through an unauthenticated public API endpoint. Responses include emails, usernames…
PriorityP357high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
0.73%
49.7th percentile
AVideo versions prior to 20.1 expose sensitive user information through an unauthenticated public API endpoint. Responses include emails, usernames, administrative status, and last login times, enabling user enumeration and privacy violations.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| world_wide_broadcast_network | avideo | < 20.1 | 20.1 |
| wwbn | avideo | < 20.0 | 20.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated GET/POST requests to /notify.ffmpeg.json.php — this endpoint accepts an encrypted 'callback' parameter that is passed to eval(); any access from untrusted sources should be treated as a potential RCE attempt. ↗
- →Alert on sequential or rapid unauthenticated requests to /objects/categories.json.php, /objects/videosAndroid.json.php (or /plugin/API/get.json.php), and /objects/getTimes.json.php from the same source IP — this pattern matches the multi-step reconnaissance phase of the exploit chain. ↗
- →The exploit relies on a fallback to the weak uniqid()-based salt (saltV2 fallback) in encrypt_decrypt(). Detect exploitation attempts by looking for the 'callback' parameter in requests to notify.ffmpeg.json.php where decryption with saltV2 fails but the legacy salt succeeds — indicative of the fallback path being abused. ↗
- →Flag unauthenticated access to the public user API endpoint that returns emails, usernames, administrative status, and last login times — this constitutes user enumeration (CVE-2025-34441) and may precede targeted attacks. ↗
- →The offline bruteforce phase iterates over 1,048,576 possible microsecond values (0x00000–0xFFFFF) to recover the uniqid() salt. High-volume requests to video/API endpoints comparing hashId values from a single source may indicate active salt bruteforcing. ↗
- ·AVideo v20.0 patched the posterPortraitPath information leak but did NOT remove the legacy salt fallback or eval($callback), meaning RCE remains fully exploitable on v20.0 using SYSTEM_ROOT — patching to v20.0 is insufficient; v20.1 or later is required. ↗
- ·The RCE exploit chain only applies to AVideo 14.3.1 and later (introduced January 7, 2025); the fallback mechanism in encrypt_decrypt() was introduced January 15, 2024 — both conditions must be present for exploitability. ↗
- ·The weak salt is derived from PHP's uniqid() seeded by the Unix timestamp at installation time — an attacker who can determine the approximate installation date can dramatically reduce the bruteforce search space. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2025-12-17
Published