CVE-2025-34433
Unknown Unknown - Not Provided
Unauthenticated Remote Code Execution in AVideo via Predictable Salt

Publication date: 2025-12-19

Last updated on: 2025-12-19

Assigner: VulnCheck

Description
AVideo versions 14.3.1 prior to 20.1 contain an unauthenticated remote code execution vulnerability caused by predictable generation of an installation salt using PHP uniqid(). The installation timestamp is exposed via a public endpoint, and a derived hash identifier is accessible through unauthenticated API responses, allowing attackers to brute-force the remaining entropy. The recovered salt can then be used to encrypt a malicious payload supplied to a notification API endpoint that evaluates attacker-controlled input, resulting in arbitrary code execution as the web server user.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-19
Last Modified
2025-12-19
Generated
2026-06-16
AI Q&A
2025-12-19
EPSS Evaluated
2026-06-15
NVD
CVE-2025-34433
EUVD
EUVD-2025-204542
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wwbn avideo 14.3.1
wwbn avideo 20.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-34433 is a critical unauthenticated remote code execution vulnerability in AVideo versions 14.3.1 up to but not including 20.1. It occurs because the installation salt used for encryption is generated predictably using PHP's uniqid() function. The installation timestamp is publicly exposed, and a derived hash identifier is accessible through unauthenticated API responses, allowing attackers to brute-force the remaining entropy of the salt. Once the salt is recovered, attackers can encrypt a malicious payload with it and send it to a notification API endpoint that evaluates attacker-controlled input, resulting in arbitrary code execution on the web server with the privileges of the web server user. [1]

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code on the web server running AVideo without any authentication. This means the attacker can potentially take full control of the server, access sensitive data, modify or delete content, disrupt services, or use the server as a foothold for further attacks within the network. [1]

Detection Guidance

Detection can focus on identifying AVideo versions from 14.3.1 up to but not including 20.1, as these are vulnerable. You can check the exposed installation timestamp endpoint and unauthenticated API responses for the derived hash identifier. Network monitoring for unusual requests to the notification API endpoint that accepts encrypted payloads may also help. Specific commands are not provided in the resources, but you can start by querying the version of AVideo installed and inspecting API endpoints for the installation timestamp and hash identifier exposure. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade AVideo to version 20.1 or later, where the vulnerability is fixed. The fix removes the use of the predictable legacy salt and enforces the use of a secure saltV2 for encryption and decryption, eliminating the cryptographic weakness. If upgrading is not immediately possible, restrict access to the public endpoints exposing the installation timestamp and hash identifier, and monitor or block suspicious requests to the notification API endpoint that evaluates attacker-controlled input. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34433. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart