CVE-2025-63953 identifies a Cross-Site Request Forgery (CSRF) vulnerability in Magewell Pro Convert version 1.2.213, specifically within the /usapi?method=add-user API endpoint. CSRF vulnerabilities occur when an attacker tricks an authenticated user into submitting a forged request, which the server processes with the user's privileges. In this case, the vulnerability allows an attacker to craft a GET request that, when executed by an authenticated user, results in the creation of arbitrary user accounts on the device. This can undermine system integrity by enabling unauthorized account creation, potentially leading to privilege escalation or unauthorized access to device management functions. The vulnerability does not directly impact confidentiality or availability but poses a significant risk to system integrity. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) indicates that the attack can be performed remotely over the network with low attack complexity, requires no privileges but does require user interaction (such as clicking a malicious link). The scope remains unchanged, and the impact is high on integrity. No patches or known exploits are currently documented, but the vulnerability is publicly disclosed as of November 24, 2025. Magewell Pro Convert devices are used for video capture and streaming, often in professional AV environments, which may be integrated into enterprise networks.

For European organizations, this vulnerability could allow attackers to create unauthorized user accounts on Magewell Pro Convert devices, potentially enabling further unauthorized access or manipulation of AV infrastructure. While the direct impact on confidentiality and availability is limited, the integrity compromise could facilitate lateral movement or persistent footholds within networks, especially in organizations relying on these devices for critical media workflows. This risk is heightened in sectors such as broadcasting, education, and corporate communications where Magewell products are deployed. Unauthorized accounts could be leveraged to disrupt operations or exfiltrate sensitive media content. The lack of patches increases exposure duration, and the requirement for user interaction means phishing or social engineering could be effective attack vectors. European entities with integrated AV and IT systems should consider this a moderate risk that could escalate if combined with other vulnerabilities.

Since no official patches are currently available, European organizations should implement compensating controls to mitigate this CSRF vulnerability. These include disabling or restricting access to the /usapi?method=add-user endpoint via network segmentation and firewall rules, limiting management interface exposure to trusted networks only. Employ web application firewalls (WAFs) to detect and block suspicious GET requests targeting this endpoint. Educate users to avoid clicking on untrusted links and implement strict browser security policies to reduce CSRF risks. Where possible, enable multi-factor authentication (MFA) on device management interfaces to reduce the impact of unauthorized account creation. Monitor device logs for unusual account creation activity and conduct regular audits of user accounts on Magewell devices. Engage with Magewell support for updates or interim patches and plan for prompt patch deployment once available. Additionally, consider deploying reverse proxies with CSRF protection capabilities in front of the devices.