CVE-2025-63952 identifies a Cross-Site Request Forgery (CSRF) vulnerability in Magewell Pro Convert version 1.2.213, specifically within the /mwapi?method=add-user API endpoint. CSRF vulnerabilities occur when an attacker tricks an authenticated user into submitting a request that performs an unwanted action on a web application in which they are authenticated. In this case, the vulnerability allows an attacker to craft a GET request that, when executed by an authenticated user, results in the creation of arbitrary user accounts on the device. This can undermine the integrity of the device's user management system by enabling unauthorized account creation without the victim's explicit consent. The attack requires the victim to be logged into the device's management interface and to interact with a malicious link or webpage, which triggers the crafted request. The vulnerability does not directly impact confidentiality or availability but poses a significant risk to system integrity by potentially allowing privilege escalation or unauthorized access through newly created accounts. The CVSS 3.1 base score is 5.7 (medium), reflecting network attack vector, low attack complexity, required privileges, and user interaction. No patches or exploit code are currently publicly available, and no known exploits in the wild have been reported. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery).

For European organizations, especially those in broadcasting, media production, and streaming services that utilize Magewell Pro Convert devices, this vulnerability could lead to unauthorized user account creation on critical video conversion hardware. Such unauthorized accounts might be leveraged to gain elevated privileges, alter device configurations, or disrupt media workflows, potentially causing operational disruptions or data integrity issues. While the vulnerability does not directly expose sensitive data or cause denial of service, the integrity compromise could facilitate further attacks or insider threats. Given the reliance on Magewell devices in professional AV environments, exploitation could impact service continuity and trustworthiness of media streams. Organizations with remote or web-accessible device management interfaces are particularly at risk, as attackers could lure authenticated administrators into triggering the malicious requests. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed.

To mitigate CVE-2025-63952, organizations should first restrict access to the Magewell Pro Convert management interface to trusted networks and users only, ideally via VPN or secure management VLANs. Implement network-level controls such as IP whitelisting and firewall rules to limit exposure. Since the vulnerability exploits CSRF, applying anti-CSRF tokens or mechanisms in the device's web interface is recommended; if not available, request vendor patches or updates addressing this issue. Administrators should avoid clicking on untrusted links while authenticated to the device and educate users about CSRF risks. Regularly audit user accounts on the device for unauthorized additions and monitor logs for suspicious activity. If possible, disable or limit the add-user API endpoint or restrict its usage to authenticated sessions with strong authorization checks. Maintain up-to-date firmware and subscribe to Magewell security advisories for forthcoming patches. Finally, consider isolating the device management interface from general user networks to reduce attack surface.