CVE-2019-25255
Authenticated Remote Code Execution via CSRF in VideoFlow DVP
Publication date: 2025-12-24
Last updated on: 2025-12-24
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| videoflow | digital_video_protection | 2.10 |
| videoflow | dvp_fortress | 2.10.0.5 |
| videoflow | dvp_protector | 1.40.0.15 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2019-25255 is a critical security vulnerability in VideoFlow Digital Video Protection (DVP) version 2.10 and related systems. It involves hard-coded credentials and an authenticated remote code execution flaw exploitable via Cross-Site Request Forgery (CSRF). Attackers can exploit this vulnerability to execute arbitrary system commands with root privileges, gaining full control over the affected device and its broadcast functions. [1, 3]
How can this vulnerability impact me? :
Exploiting this vulnerability allows an attacker to gain root-level access to the affected VideoFlow DVP device, enabling them to execute arbitrary system commands remotely. This can lead to complete system compromise, loss of control over broadcast functions, potential disruption of live video distribution, and unauthorized access to sensitive system resources. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking for the presence of default or hard-coded credentials on your VideoFlow Digital Video Protection (DVP) devices, such as admin:admin, oper:oper, private:private, public:public, devel:devel for web management, and root:videoflow or mom:$1$CGgdGXXG$0FmyyKMzcHgkKnUTZi5r./ for SSH access. Commands to check for these credentials might include attempting to log in via SSH or web interface using these default credentials. Additionally, monitoring for unusual or unauthorized system commands executed remotely could indicate exploitation. Specific commands are not provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include changing all default and hard-coded credentials on the affected VideoFlow DVP devices to strong, unique passwords to prevent unauthorized access. Restrict access to the management interfaces and SSH to trusted networks only. Implement protections against Cross-Site Request Forgery (CSRF) attacks, such as using anti-CSRF tokens or disabling unnecessary web management features. If possible, update or patch the device firmware to a version that addresses this vulnerability, although no vendor response or patch is mentioned. Monitoring for suspicious activity and isolating vulnerable devices from critical networks can also help reduce risk. [1, 3]