Executive Summary

CVE-2026-33482 is an OS Command Injection vulnerability in the WWBN AVideo platform, specifically in the sanitizeFFmpegCommand() function. This function attempts to sanitize ffmpeg command strings by removing dangerous shell metacharacters like &&, ;, |, backticks, <, and >, but it fails to remove the bash command substitution syntax $().

Because the sanitized command is executed inside a double-quoted sh -c context, the $() syntax is interpreted by the shell, allowing an attacker who can craft a valid encrypted payload to execute arbitrary commands on the standalone encoder server.

The attack requires crafting a malicious ffmpeg command containing $(), encrypting it with AES-256-CBC using a key derived from a salt and system root path, and sending it to the standalone encoder server via an unauthenticated parameter. The server decrypts, sanitizes (improperly), and executes the command, enabling remote code execution.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including:

• Remote Code Execution on the standalone encoder server with web server privileges.
• Lateral movement within the network, as encoders typically have access to the main AVideo server, potentially leading to further compromise.
• Data exfiltration, including access to video files, configuration data, and credentials.
• Service disruption by terminating encoding processes or exhausting system resources.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if your WWBN AVideo standalone encoder server is running a vulnerable version (up to and including 26.0) and if the sanitizeFFmpegCommand() function is being exploited via the unauthenticated codeToExecEncrypted parameter.

Since the attack requires sending an encrypted payload containing ffmpeg commands with bash command substitution syntax ($()), monitoring network traffic for unusual encrypted payloads sent to the endpoint plugin/API/standAlone/ffmpeg.json.php may help detect exploitation attempts.

You can also check running processes on the standalone encoder server for unexpected ffmpeg commands or shell commands that include suspicious patterns like $().

• Use network monitoring tools (e.g., tcpdump, Wireshark) to capture traffic to the standalone encoder server and filter for requests to plugin/API/standAlone/ffmpeg.json.php.
• On the encoder server, run commands to detect suspicious ffmpeg executions, for example: `ps aux | grep ffmpeg` and look for commands containing `$()`.
• Search logs for requests containing the codeToExecEncrypted parameter, e.g., `grep codeToExecEncrypted /var/log/nginx/access.log` or equivalent.
• If possible, decrypt captured payloads using the known key derivation method (sha256(saltV2) and IV from systemRootPath) to inspect for malicious command substitution.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves improving the sanitization of ffmpeg commands to prevent command injection by stripping all shell metacharacters that can be used for command substitution or chaining.

• Replace the current denylist-based sanitizeFFmpegCommand() function with an enhanced version that removes characters such as $, (, ), {, }, backslash, and newline characters in addition to the previously stripped characters.
• Ensure the sanitized command starts with an allowed prefix to restrict execution to permitted commands only.
• Consider parsing ffmpeg command arguments individually and applying escapeshellarg() to each argument before assembling the command to eliminate reliance on denylists.

Additionally, restrict access to the standalone encoder server and the unauthenticated codeToExecEncrypted API endpoint to trusted sources only, if possible.

Apply the patch from commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 as soon as it becomes available to fully address the vulnerability.

Useful 0 Not Useful 0