Skip to main content

CVE-2025-34101: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Serviio Media Server

Critical
VulnerabilityCVE-2025-34101cvecve-2025-34101cwe-78cwe-306cwe-20
Published: Thu Jul 10 2025 (07/10/2025, 19:11:05 UTC)
Source: CVE Database V5
Vendor/Project: Serviio
Product: Media Server

Description

An unauthenticated command injection vulnerability exists in Serviio Media Server versions 1.4 through 1.8 on Windows, in the /rest/action API endpoint exposed by the console component (default port 23423). The checkStreamUrl method accepts a VIDEO parameter that is passed unsanitized to a call to cmd.exe, enabling arbitrary command execution under the privileges of the web server. No authentication is required to exploit this issue, as the REST API is exposed by default and lacks access controls.

AI-Powered Analysis

AILast updated: 07/10/2025, 19:46:23 UTC

Technical Analysis

CVE-2025-34101 is a critical unauthenticated OS command injection vulnerability affecting Serviio Media Server versions 1.4 through 1.8 on Windows platforms. The vulnerability exists in the /rest/action API endpoint exposed by the console component, which by default listens on port 23423. Specifically, the checkStreamUrl method accepts a VIDEO parameter that is passed directly and unsanitized to the Windows command interpreter (cmd.exe). This lack of input validation allows an attacker to inject arbitrary OS commands that execute with the privileges of the web server process hosting the Serviio Media Server. Since the REST API is exposed by default and lacks any authentication or access controls, exploitation requires no credentials or user interaction, making it trivially exploitable remotely over the network. The vulnerability is categorized under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), CWE-306 (Missing Authentication for Critical Function), and CWE-20 (Improper Input Validation). The CVSS v4.0 base score is 9.3, reflecting its critical severity due to network attack vector, no required authentication, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits are currently known in the wild, the ease of exploitation and severity make this a high-risk vulnerability for any organization running affected Serviio Media Server versions on Windows. The vulnerability allows remote attackers to execute arbitrary commands, potentially leading to full system compromise, data theft, service disruption, or lateral movement within networks.

Potential Impact

For European organizations, the impact of this vulnerability can be severe. Serviio Media Server is used in various environments including media streaming for enterprises, educational institutions, and home users. Organizations relying on Serviio for internal or external media distribution could face unauthorized access and control over affected servers. The ability to execute arbitrary commands remotely without authentication can lead to data breaches, installation of malware or ransomware, disruption of media services, and pivoting to other critical systems within the network. Given the default exposure of the vulnerable API endpoint, attackers can scan for and target these servers at scale. The compromise of media servers may also affect compliance with data protection regulations such as GDPR if personal or sensitive data is processed or stored on these systems. Additionally, disruption of media services can impact business continuity and user experience. The lack of known patches at the time of disclosure increases the urgency for mitigation to prevent exploitation.

Mitigation Recommendations

Immediate mitigation steps should include restricting network access to the Serviio Media Server's default port 23423 by implementing firewall rules to allow only trusted IP addresses or internal networks. If possible, disable or restrict the REST API endpoint until a patch or update is available. Network segmentation should be employed to isolate media servers from critical infrastructure and sensitive data repositories. Monitoring network traffic for unusual requests to the /rest/action endpoint and implementing intrusion detection/prevention systems with signatures for command injection attempts can help detect exploitation attempts. Administrators should upgrade to patched versions as soon as they become available from the vendor. In the interim, consider deploying application-layer proxies or web application firewalls (WAFs) that can sanitize or block malicious input targeting the VIDEO parameter. Regularly audit and review server logs for suspicious command execution or unexpected process activity. Finally, ensure that the Serviio Media Server runs with the least privileges necessary to limit the impact of potential exploitation.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulnCheck
Date Reserved
2025-04-15T19:15:22.556Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 687014fca83201eaaca979e6

Added to database: 7/10/2025, 7:31:08 PM

Last enriched: 7/10/2025, 7:46:23 PM

Last updated: 8/15/2025, 7:35:50 PM

Views: 22

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats