CVE-2025-34101: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Serviio Media Server
An unauthenticated command injection vulnerability exists in Serviio Media Server versions 1.4 through 1.8 on Windows, in the /rest/action API endpoint exposed by the console component (default port 23423). The checkStreamUrl method accepts a VIDEO parameter that is passed unsanitized to a call to cmd.exe, enabling arbitrary command execution under the privileges of the web server. No authentication is required to exploit this issue, as the REST API is exposed by default and lacks access controls.
AI Analysis
Technical Summary
CVE-2025-34101 is a critical unauthenticated OS command injection vulnerability affecting Serviio Media Server versions 1.4 through 1.8 on Windows platforms. The vulnerability exists in the /rest/action API endpoint exposed by the console component, which by default listens on port 23423. Specifically, the checkStreamUrl method accepts a VIDEO parameter that is passed directly and unsanitized to the Windows command interpreter (cmd.exe). This lack of input validation allows an attacker to inject arbitrary OS commands that execute with the privileges of the web server process hosting the Serviio Media Server. Since the REST API is exposed by default and lacks any authentication or access controls, exploitation requires no credentials or user interaction, making it trivially exploitable remotely over the network. The vulnerability is categorized under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), CWE-306 (Missing Authentication for Critical Function), and CWE-20 (Improper Input Validation). The CVSS v4.0 base score is 9.3, reflecting its critical severity due to network attack vector, no required authentication, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits are currently known in the wild, the ease of exploitation and severity make this a high-risk vulnerability for any organization running affected Serviio Media Server versions on Windows. The vulnerability allows remote attackers to execute arbitrary commands, potentially leading to full system compromise, data theft, service disruption, or lateral movement within networks.
Potential Impact
For European organizations, the impact of this vulnerability can be severe. Serviio Media Server is used in various environments including media streaming for enterprises, educational institutions, and home users. Organizations relying on Serviio for internal or external media distribution could face unauthorized access and control over affected servers. The ability to execute arbitrary commands remotely without authentication can lead to data breaches, installation of malware or ransomware, disruption of media services, and pivoting to other critical systems within the network. Given the default exposure of the vulnerable API endpoint, attackers can scan for and target these servers at scale. The compromise of media servers may also affect compliance with data protection regulations such as GDPR if personal or sensitive data is processed or stored on these systems. Additionally, disruption of media services can impact business continuity and user experience. The lack of known patches at the time of disclosure increases the urgency for mitigation to prevent exploitation.
Mitigation Recommendations
Immediate mitigation steps should include restricting network access to the Serviio Media Server's default port 23423 by implementing firewall rules to allow only trusted IP addresses or internal networks. If possible, disable or restrict the REST API endpoint until a patch or update is available. Network segmentation should be employed to isolate media servers from critical infrastructure and sensitive data repositories. Monitoring network traffic for unusual requests to the /rest/action endpoint and implementing intrusion detection/prevention systems with signatures for command injection attempts can help detect exploitation attempts. Administrators should upgrade to patched versions as soon as they become available from the vendor. In the interim, consider deploying application-layer proxies or web application firewalls (WAFs) that can sanitize or block malicious input targeting the VIDEO parameter. Regularly audit and review server logs for suspicious command execution or unexpected process activity. Finally, ensure that the Serviio Media Server runs with the least privileges necessary to limit the impact of potential exploitation.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Sweden
CVE-2025-34101: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Serviio Media Server
Description
An unauthenticated command injection vulnerability exists in Serviio Media Server versions 1.4 through 1.8 on Windows, in the /rest/action API endpoint exposed by the console component (default port 23423). The checkStreamUrl method accepts a VIDEO parameter that is passed unsanitized to a call to cmd.exe, enabling arbitrary command execution under the privileges of the web server. No authentication is required to exploit this issue, as the REST API is exposed by default and lacks access controls.
AI-Powered Analysis
Technical Analysis
CVE-2025-34101 is a critical unauthenticated OS command injection vulnerability affecting Serviio Media Server versions 1.4 through 1.8 on Windows platforms. The vulnerability exists in the /rest/action API endpoint exposed by the console component, which by default listens on port 23423. Specifically, the checkStreamUrl method accepts a VIDEO parameter that is passed directly and unsanitized to the Windows command interpreter (cmd.exe). This lack of input validation allows an attacker to inject arbitrary OS commands that execute with the privileges of the web server process hosting the Serviio Media Server. Since the REST API is exposed by default and lacks any authentication or access controls, exploitation requires no credentials or user interaction, making it trivially exploitable remotely over the network. The vulnerability is categorized under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), CWE-306 (Missing Authentication for Critical Function), and CWE-20 (Improper Input Validation). The CVSS v4.0 base score is 9.3, reflecting its critical severity due to network attack vector, no required authentication, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits are currently known in the wild, the ease of exploitation and severity make this a high-risk vulnerability for any organization running affected Serviio Media Server versions on Windows. The vulnerability allows remote attackers to execute arbitrary commands, potentially leading to full system compromise, data theft, service disruption, or lateral movement within networks.
Potential Impact
For European organizations, the impact of this vulnerability can be severe. Serviio Media Server is used in various environments including media streaming for enterprises, educational institutions, and home users. Organizations relying on Serviio for internal or external media distribution could face unauthorized access and control over affected servers. The ability to execute arbitrary commands remotely without authentication can lead to data breaches, installation of malware or ransomware, disruption of media services, and pivoting to other critical systems within the network. Given the default exposure of the vulnerable API endpoint, attackers can scan for and target these servers at scale. The compromise of media servers may also affect compliance with data protection regulations such as GDPR if personal or sensitive data is processed or stored on these systems. Additionally, disruption of media services can impact business continuity and user experience. The lack of known patches at the time of disclosure increases the urgency for mitigation to prevent exploitation.
Mitigation Recommendations
Immediate mitigation steps should include restricting network access to the Serviio Media Server's default port 23423 by implementing firewall rules to allow only trusted IP addresses or internal networks. If possible, disable or restrict the REST API endpoint until a patch or update is available. Network segmentation should be employed to isolate media servers from critical infrastructure and sensitive data repositories. Monitoring network traffic for unusual requests to the /rest/action endpoint and implementing intrusion detection/prevention systems with signatures for command injection attempts can help detect exploitation attempts. Administrators should upgrade to patched versions as soon as they become available from the vendor. In the interim, consider deploying application-layer proxies or web application firewalls (WAFs) that can sanitize or block malicious input targeting the VIDEO parameter. Regularly audit and review server logs for suspicious command execution or unexpected process activity. Finally, ensure that the Serviio Media Server runs with the least privileges necessary to limit the impact of potential exploitation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2025-04-15T19:15:22.556Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 687014fca83201eaaca979e6
Added to database: 7/10/2025, 7:31:08 PM
Last enriched: 7/10/2025, 7:46:23 PM
Last updated: 8/14/2025, 7:44:06 PM
Views: 21
Related Threats
CVE-2025-36088: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in IBM Storage TS4500 Library
MediumCVE-2025-43490: CWE-59 Improper Link Resolution Before File Access ('Link Following') in HP, Inc. HP Hotkey Support Software
MediumCVE-2025-9060: CWE-20 Improper Input Validation in MSoft MFlash
CriticalCVE-2025-8675: CWE-918 Server-Side Request Forgery (SSRF) in Drupal AI SEO Link Advisor
MediumCVE-2025-8362: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Drupal GoogleTag Manager
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.