CVE-2025-66203 is a critical OS command injection vulnerability identified in lemon8866's StreamVault product, a video download integration solution. The vulnerability exists in versions prior to 251126 within the SpiritApplication component, specifically in the /admin/api/saveConfig endpoint. This endpoint allows administrators to configure command-line arguments for yt-dlp, a video downloader utility, but lacks sufficient input validation or sanitization. These arguments are stored globally and later used in YtDlpUtil.java to construct the command line for executing yt-dlp. Due to improper neutralization of special characters (CWE-78), an attacker with administrative privileges can inject malicious OS commands. This leads to remote code execution (RCE) with full system privileges, impacting confidentiality, integrity, and availability. The vulnerability has a CVSS v3.1 score of 10.0, reflecting its criticality, with attack vector network-based, low attack complexity, requiring privileges but no user interaction, and scope changed due to potential system-wide impact. Although no known exploits are reported in the wild, the flaw presents a severe risk if exploited. The issue was patched in version 251126, which includes proper validation and sanitization of input parameters to prevent command injection.

For European organizations, the impact of CVE-2025-66203 is significant. Successful exploitation allows attackers to execute arbitrary commands remotely with administrative privileges, potentially leading to full system compromise. This can result in data breaches, unauthorized access to sensitive video content, disruption of video services, and lateral movement within networks. Organizations relying on StreamVault for video download integration, especially in media, broadcasting, and content delivery sectors, face risks to operational continuity and data confidentiality. The vulnerability could also be leveraged for deploying ransomware or other malware, amplifying damage. Given the critical CVSS score and the nature of the flaw, unpatched systems represent a high-value target for attackers. The lack of required user interaction means automated attacks are feasible once administrative access is obtained or compromised. This elevates the threat level for European entities with exposed or poorly secured administrative interfaces.

1. Immediately upgrade StreamVault installations to version 251126 or later, where the vulnerability is patched. 2. Restrict access to the /admin/api/saveConfig endpoint strictly to trusted administrators using network segmentation, VPNs, or zero-trust access controls. 3. Implement multi-factor authentication (MFA) for all administrative accounts to reduce the risk of credential compromise. 4. Monitor logs and network traffic for unusual command execution patterns or unexpected yt-dlp argument configurations. 5. Employ application-layer firewalls or runtime application self-protection (RASP) solutions to detect and block command injection attempts. 6. Conduct regular security audits and penetration tests focusing on administrative interfaces and command execution paths. 7. Educate administrators on secure configuration practices and the risks of injecting unsanitized input into command lines. 8. If upgrading immediately is not feasible, consider temporarily disabling the vulnerable configuration endpoint or restricting its usage until patching is possible.