cbcvebase.
CVE-2025-34442
published 2025-12-17

CVE-2025-34442: AVideo versions prior to 20.1 disclose absolute filesystem paths via multiple public API endpoints. Returned metadata includes full server paths to media…

PriorityP355high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
0.73%
49.7th percentile
AVideo versions prior to 20.1 disclose absolute filesystem paths via multiple public API endpoints. Returned metadata includes full server paths to media files, revealing underlying filesystem structure and facilitating more effective attack chains.

Affected

2 ranges
VendorProductVersion rangeFixed in
world_wide_broadcast_networkavideo< 20.120.1
wwbnavideo< 20.020.0

Detection & IOCsextracted from sources · hover to see the quote

url/objects/categories.json.php
url/objects/videosAndroid.json.php
url/plugin/API/get.json.php
url/objects/getTimes.json.php
url/notify.ffmpeg.json.php
pathnotify.ffmpeg.json.php
commandeval($callback)
  • Monitor for unauthenticated sequential access to multiple AVideo public API endpoints in short succession: /objects/categories.json.php, /objects/videosAndroid.json.php (or /plugin/API/get.json.php), and /objects/getTimes.json.php — this pattern indicates salt-discovery reconnaissance preceding RCE.
  • Alert on POST requests to notify.ffmpeg.json.php containing a `callback` parameter from unauthenticated sources; this is the RCE trigger endpoint.
  • Inspect API responses from /objects/videosAndroid.json.php and /plugin/API/get.json.php for the `posterPortraitPath` field leaking absolute filesystem paths; presence of this field in responses confirms CVE-2025-34442 exposure.
  • The legacy salt fallback in encrypt_decrypt() (introduced January 15, 2024) and the eval($callback) sink (introduced January 7, 2025) are both required for exploitation; AVideo versions 14.3.1 through 20.0 are affected even after the posterPortraitPath leak was patched in v20.0.
  • ·The RCE is only exploitable because AVideo's encrypt_decrypt() retains a fallback to the weak uniqid()-based salt even when the stronger saltV2 is present. Removing the fallback mechanism would break the exploit chain even if the weak salt is discoverable.
  • ·AVideo v20.0 patched the posterPortraitPath filesystem path leak but left the legacy salt fallback and eval($callback) intact, meaning RCE is still achievable via the SYSTEM_ROOT path. Full remediation requires upgrading to v20.1+.
  • ·The weak salt is derived from PHP's uniqid(), which produces only ~1,048,576 possible microsecond values (0x00000–0xFFFFF), making offline brute-force of the full salt feasible once the installation timestamp is leaked.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.