CVE-2025-34101
Serviio Media Server Unauthenticated Command Injection via checkStreamUrl VIDEO Parameter
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Serviio Media Server Unauthenticated Command Injection via checkStreamUrl VIDEO Parameter
An unauthenticated command injection vulnerability exists in Serviio Media Server versions 1.4 through 1.8 on Windows, in the /rest/action API endpoint exposed by the console component (default port 23423). The checkStreamUrl method accepts a VIDEO parameter that is passed unsanitized to a call to cmd.exe, enabling arbitrary command execution under the privileges of the web server. No authentication is required to exploit this issue, as the REST API is exposed by default and lacks access controls.
Reserved 2025-04-15 | Published 2025-07-10 | Updated 2025-07-10 | Assigner VulnCheckCWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-306 Missing Authentication for Critical Function
CWE-20 Improper Input Validation
Gjoko Krstic of Zero Science Lab
www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5408.php
packetstorm.news/files/id/142387
fortiguard.fortinet.com/encyclopedia/ips/44042
raw.githubusercontent.com/...viio_checkstreamurl_cmd_exec.rb
vulncheck.com/...ia-server-unauthenticated-command-injection
www.exploit-db.com/exploits/42023
Support options
