CVE-2025-34441 is a vulnerability identified in the World Wide Broadcast Network's AVideo platform, affecting all versions prior to 20.1. The core issue is an unauthenticated public API endpoint that returns sensitive user information without requiring any form of authentication or user interaction. The exposed data includes email addresses, usernames, administrative status flags, and last login timestamps. This data leakage constitutes a CWE-359 weakness, which is the exposure of private personal information to unauthorized actors. The vulnerability allows attackers to enumerate users, identify privileged accounts, and gather information useful for further targeted attacks such as phishing or credential stuffing. The CVSS 4.0 vector indicates the attack can be performed remotely over the network with low complexity, no privileges, and no user interaction required. The impact on confidentiality is significant due to the exposure of personal and administrative information, while integrity and availability impacts are limited but present due to potential follow-on attacks. No patches or exploits are currently documented, but the vulnerability is publicly known and documented as of December 2025. The lack of authentication on the API endpoint is a critical design flaw that undermines user privacy and security. Organizations using AVideo should consider this a priority vulnerability to address.

For European organizations, the exposure of user emails, usernames, and administrative status can lead to multiple adverse outcomes. Privacy regulations such as GDPR impose strict requirements on protecting personal data; this vulnerability could lead to non-compliance and substantial fines if exploited. Attackers could leverage the exposed data to conduct targeted phishing campaigns, social engineering, or brute-force attacks against administrative accounts, potentially leading to unauthorized access or data breaches. The exposure of last login times can aid attackers in timing attacks or identifying active users. Organizations relying on AVideo for video content management or streaming services may face reputational damage if user data is leaked. Additionally, sectors with sensitive or regulated data, such as healthcare, education, or government entities using AVideo, are at heightened risk. The vulnerability does not directly allow system compromise but significantly lowers the barrier for further attacks, increasing the overall threat landscape.

The primary mitigation is to upgrade AVideo installations to version 20.1 or later, where this vulnerability is resolved. Until an upgrade is possible, organizations should restrict access to the vulnerable API endpoint by implementing network-level controls such as IP whitelisting or VPN-only access. Deploying Web Application Firewalls (WAFs) with rules to detect and block requests to the exposed endpoint can reduce risk. Monitoring logs for unusual API requests or spikes in user enumeration attempts can provide early detection of exploitation attempts. Organizations should review and tighten access controls on administrative accounts, enforce strong authentication mechanisms, and consider multi-factor authentication to mitigate risks from credential-based attacks. Conducting user awareness training on phishing risks is also recommended. Finally, organizations should perform regular audits of their AVideo deployments and ensure that sensitive endpoints are not publicly accessible without proper authentication.