CVE-2025-34433
Unauthenticated Remote Code Execution in AVideo via Predictable Salt
Publication date: 2025-12-19
Last updated on: 2025-12-19
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | 14.3.1 |
| wwbn | avideo | 20.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-34433 is a critical unauthenticated remote code execution vulnerability in AVideo versions 14.3.1 up to but not including 20.1. It occurs because the installation salt used for encryption is generated predictably using PHP's uniqid() function. The installation timestamp is publicly exposed, and a derived hash identifier is accessible through unauthenticated API responses, allowing attackers to brute-force the remaining entropy of the salt. Once the salt is recovered, attackers can encrypt a malicious payload with it and send it to a notification API endpoint that evaluates attacker-controlled input, resulting in arbitrary code execution on the web server with the privileges of the web server user. [1]
How can this vulnerability impact me? :
This vulnerability allows an attacker to execute arbitrary code on the web server running AVideo without any authentication. This means the attacker can potentially take full control of the server, access sensitive data, modify or delete content, disrupt services, or use the server as a foothold for further attacks within the network. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on identifying AVideo versions from 14.3.1 up to but not including 20.1, as these are vulnerable. You can check the exposed installation timestamp endpoint and unauthenticated API responses for the derived hash identifier. Network monitoring for unusual requests to the notification API endpoint that accepts encrypted payloads may also help. Specific commands are not provided in the resources, but you can start by querying the version of AVideo installed and inspecting API endpoints for the installation timestamp and hash identifier exposure. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade AVideo to version 20.1 or later, where the vulnerability is fixed. The fix removes the use of the predictable legacy salt and enforces the use of a secure saltV2 for encryption and decryption, eliminating the cryptographic weakness. If upgrading is not immediately possible, restrict access to the public endpoints exposing the installation timestamp and hash identifier, and monitor or block suspicious requests to the notification API endpoint that evaluates attacker-controlled input. [1, 2]