Home

Description

An unauthenticated command injection vulnerability exists in Serviio Media Server versions 1.4 through 1.8 on Windows, in the /rest/action API endpoint exposed by the console component (default port 23423). The checkStreamUrl method accepts a VIDEO parameter that is passed unsanitized to a call to cmd.exe, enabling arbitrary command execution under the privileges of the web server. No authentication is required to exploit this issue, as the REST API is exposed by default and lacks access controls.

PUBLISHED Reserved 2025-04-15 | Published 2025-07-10 | Updated 2026-05-14 | Assigner VulnCheck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-306 Missing Authentication for Critical Function

CWE-20 Improper Input Validation

Product status

Default status
unaffected

1.4 (custom)
affected

Credits

Gjoko Krstic of Zero Science Lab finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5408.php third-party-advisory exploit

packetstorm.news/files/id/142387 exploit

fortiguard.fortinet.com/encyclopedia/ips/44042 third-party-advisory

raw.githubusercontent.com/...viio_checkstreamurl_cmd_exec.rb exploit

vulncheck.com/...ia-server-unauthenticated-command-injection third-party-advisory

www.exploit-db.com/exploits/42023 exploit

cve.org (CVE-2025-34101)

nvd.nist.gov (CVE-2025-34101)

Download JSON