CVE-2019-25255
Unknown Unknown - Not Provided
Authenticated Remote Code Execution via CSRF in VideoFlow DVP

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: VulnCheck

Description
VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows attackers to execute system commands with root privileges. Attackers can exploit the vulnerability through a cross-site request forgery (CSRF) mechanism to gain unauthorized system access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-06-16
AI Q&A
2025-12-24
EPSS Evaluated
2026-06-15
NVD
CVE-2019-25255
EUVD
EUVD-2025-205294
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
videoflow digital_video_protection 2.10
videoflow dvp_fortress 2.10.0.5
videoflow dvp_protector 1.40.0.15
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2019-25255 is a critical security vulnerability in VideoFlow Digital Video Protection (DVP) version 2.10 and related systems. It involves hard-coded credentials and an authenticated remote code execution flaw exploitable via Cross-Site Request Forgery (CSRF). Attackers can exploit this vulnerability to execute arbitrary system commands with root privileges, gaining full control over the affected device and its broadcast functions. [1, 3]

Impact Analysis

Exploiting this vulnerability allows an attacker to gain root-level access to the affected VideoFlow DVP device, enabling them to execute arbitrary system commands remotely. This can lead to complete system compromise, loss of control over broadcast functions, potential disruption of live video distribution, and unauthorized access to sensitive system resources. [1, 3]

Detection Guidance

You can detect this vulnerability by checking for the presence of default or hard-coded credentials on your VideoFlow Digital Video Protection (DVP) devices, such as admin:admin, oper:oper, private:private, public:public, devel:devel for web management, and root:videoflow or mom:$1$CGgdGXXG$0FmyyKMzcHgkKnUTZi5r./ for SSH access. Commands to check for these credentials might include attempting to log in via SSH or web interface using these default credentials. Additionally, monitoring for unusual or unauthorized system commands executed remotely could indicate exploitation. Specific commands are not provided in the resources. [1]

Mitigation Strategies

Immediate mitigation steps include changing all default and hard-coded credentials on the affected VideoFlow DVP devices to strong, unique passwords to prevent unauthorized access. Restrict access to the management interfaces and SSH to trusted networks only. Implement protections against Cross-Site Request Forgery (CSRF) attacks, such as using anti-CSRF tokens or disabling unnecessary web management features. If possible, update or patch the device firmware to a version that addresses this vulnerability, although no vendor response or patch is mentioned. Monitoring for suspicious activity and isolating vulnerable devices from critical networks can also help reduce risk. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25255. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart