WWBN AVideo, an open-source video platform, suffers from a critical cryptographic weakness in its LoginControl plugin's PGP-based two-factor authentication (2FA) system in versions up to and including 26.0. The vulnerability arises because the `createKeys()` function generates 512-bit RSA keys, which have been considered insecure and factorable since 1999. An attacker who obtains a user's public key can factor the RSA modulus using commodity hardware within hours, thereby deriving the private key. With the private key, the attacker can decrypt any PGP 2FA challenge issued by the system, effectively bypassing the second factor of authentication and gaining unauthorized access to user accounts. Further exacerbating the issue, the `generateKeys.json.php` and `encryptMessage.json.php` endpoints do not require authentication, allowing anonymous users to trigger CPU-intensive key generation operations. This could lead to denial-of-service conditions through resource exhaustion. The vulnerability has a CVSS 3.1 base score of 7.4, reflecting high severity due to its impact on confidentiality and integrity without requiring privileges or user interaction. A patch has been committed (commit 00d979d87f8182095c8150609153a43f834e351e) to address these issues by increasing key strength and adding authentication checks to the endpoints. Until patched, systems remain at risk of account compromise and potential service disruption through abuse of exposed endpoints.

The primary impact of this vulnerability is the compromise of user account security through bypassing the second factor of authentication. Attackers can decrypt PGP 2FA challenges by factoring weak 512-bit RSA keys, allowing unauthorized access to user accounts and sensitive video content. This undermines the confidentiality and integrity of user data and platform access controls. Additionally, the unauthenticated key generation endpoints expose the platform to potential denial-of-service attacks by exhausting server CPU resources, which could degrade service availability. Organizations relying on WWBN AVideo for video hosting and streaming may face unauthorized data access, user impersonation, and service interruptions. The vulnerability could also erode user trust and lead to compliance issues if sensitive or regulated content is exposed. Since the attack requires only public key access and no user interaction, exploitation is relatively straightforward once the public key is obtained. The lack of authentication on key generation endpoints further broadens the attack surface, increasing risk.

Organizations should immediately upgrade WWBN AVideo to a version that includes the patch (commit 00d979d87f8182095c8150609153a43f834e351e) or later, which increases RSA key length to a secure standard (e.g., 2048 bits or higher) and adds authentication checks to key generation and encryption endpoints. Until patching is possible, administrators should restrict access to the `generateKeys.json.php` and `encryptMessage.json.php` endpoints using network-level controls such as firewalls or reverse proxies to limit requests to trusted users or internal networks. Review and rotate all existing PGP 2FA keys generated with 512-bit RSA to ensure they are replaced with stronger keys. Monitor server resource usage for unusual spikes that may indicate abuse of the exposed endpoints. Educate users about the vulnerability and encourage use of alternative or additional 2FA methods if available. Implement logging and alerting on authentication anomalies to detect potential exploitation attempts. Finally, conduct a security audit of the platform’s cryptographic implementations to ensure compliance with current best practices.