CVE-2025-25504 is a medium-severity vulnerability affecting certain versions (v1.85h, v1.86v, and v1.70) of Gefen WebFWC devices used in AV over IP (Audio-Visual over Internet Protocol) products. The vulnerability resides in the /usr/local/bin/jncs.sh script, which listens on TCP port 4444. Due to improper authentication controls, attackers with network access can connect to this port without any authentication and execute arbitrary commands with root privileges. This vulnerability combines aspects of CWE-287 (Improper Authentication) and CWE-77 (Command Injection), allowing an unauthenticated remote attacker to gain full control over the affected device. The CVSS 3.1 base score is 6.5, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and limited confidentiality and integrity impact (C:L/I:L) but no availability impact (A:N). The vulnerability enables attackers to execute arbitrary commands as root, potentially leading to device compromise, unauthorized access to AV streams, or pivoting into internal networks. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was reserved in early 2025 and published in May 2025.

For European organizations, especially those relying on Gefen AV over IP products for conference rooms, digital signage, or broadcast environments, this vulnerability poses a significant risk. Exploitation could lead to unauthorized control of AV infrastructure, disruption of critical communication channels, and potential data leakage through compromised devices. Since these devices often reside within corporate or institutional networks, attackers could leverage this foothold to move laterally, escalate privileges, or exfiltrate sensitive information. The lack of authentication on a network-accessible port increases the risk in environments where network segmentation is weak or where these devices are exposed to less trusted networks. The impact on confidentiality and integrity is notable, although availability is not directly affected. Given the specialized nature of the product, the threat is more acute for organizations with extensive AV deployments, such as large enterprises, media companies, educational institutions, and government agencies in Europe.

European organizations using Gefen WebFWC AV over IP products should immediately assess their exposure to TCP port 4444 on these devices. Practical mitigation steps include: 1) Network segmentation to isolate AV devices from general user and internet-facing networks, limiting access to trusted administrators only. 2) Implement firewall rules to block or restrict inbound connections to port 4444 except from authorized management stations. 3) Monitor network traffic for unusual connections or command execution attempts targeting these devices. 4) Disable or restrict the jncs.sh script or the service listening on port 4444 if not required for normal operations. 5) Engage with the vendor or authorized support channels to obtain patches or firmware updates addressing this vulnerability as soon as they become available. 6) Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation attempts related to this vulnerability. 7) Conduct regular audits of AV device configurations and access logs to detect unauthorized activity. These measures go beyond generic advice by focusing on network controls, monitoring, and vendor engagement specific to the affected product and vulnerability.