CVE-2025-34101
Serviio Media Server Unauthenticated Command Injection via checkStreamUrl VIDEO Parameter
Vexday Risk Score
63Prioridad alta
Decisión SSVC (CISA)
Attend
PoC disponible → seguir de cerca
CVSS 9.3EPSS 3.1%KEV nãoPoC públicaNuclei —Metasploit simPatch —
Ciclo de vida
03 may 2017Exploit Metasploit disponible
10 jul 2025Publicada en NVD
Recomendación: Planificar corrección próxima — ya existe PoC pública.
An unauthenticated command injection vulnerability exists in Serviio Media Server versions 1.4 through 1.8 on Windows, in the /rest/action API endpoint exposed by the console component (default port 23423). The checkStreamUrl method accepts a VIDEO parameter that is passed unsanitized to a call to cmd.exe, enabling arbitrary command execution under the privileges of the web server. No authentication is required to exploit this issue, as the REST API is exposed by default and lacks access controls.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Productos afectados
Serviio · Media ServerPoCs públicas encontradas — 4
cve_referencepacketstorm.news/files/id/142387no verificadocve_referenceraw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/serviio_checkstreamurl_cmd_exec.rbno verificadocve_referencewww.exploit-db.com/exploits/42023no verificadocve_referencewww.zeroscience.mk/en/vulnerabilities/ZSL-2017-5408.phpno verificado⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.
¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://fortiguard.fortinet.com/encyclopedia/ips/44042https://packetstorm.news/files/id/142387https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/serviio_checkstreamurl_cmd_exec.rbhttps://vulncheck.com/advisories/serviio-media-server-unauthenticated-command-injectionhttps://www.exploit-db.com/exploits/42023https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5408.php