Executive Summary

CVE-2026-7704 involves two critical vulnerabilities in AV Stumpfl Pixera Two Media Server versions prior to 25.2 R3.

The first vulnerability is a Remote Code Execution (RCE) flaw that allows unauthenticated attackers on the network to execute arbitrary commands on the server via the default-configured websocket API on port 1338. These commands run with Administrator privileges under the av-stumpfl user.

The second vulnerability is an Arbitrary File Read issue, which enables attackers to read sensitive files on the server through path traversal on the same port, potentially exposing system files or registry data containing login hashes.

Both vulnerabilities were patched in version 25.2 R3, which introduced API allow-listing to restrict access.

Useful 0 Not Useful 0

Impact Analysis

Exploitation of the Remote Code Execution vulnerability can lead to full system compromise, including unauthorized file modification, running cryptocurrency mining software, and pivoting within the network.

Because commands execute with Administrator privileges under the av-stumpfl user, attackers gain significant control over the affected system.

The Arbitrary File Read vulnerability can expose sensitive system files or registry data, such as login hashes, which can be used for further attacks or unauthorized access.

Overall, these vulnerabilities can severely compromise the confidentiality, integrity, and availability of the affected system.

Useful 0 Not Useful 0

Detection Guidance

CVE-2026-7704 affects AV Stumpfl Pixera Two Media Server versions prior to 25.2 R3 and involves vulnerabilities on the default-configured websocket API on port 1338.

To detect this vulnerability on your network or system, you can monitor or scan for open port 1338 on devices running Pixera Two Media Server. Checking for unusual or unauthorized websocket API activity on this port may indicate exploitation attempts.

Specific commands to detect the vulnerability are not provided in the available resources. However, general network scanning tools like nmap can be used to identify if port 1338 is open:

• nmap -p 1338 <target-ip>

Additionally, monitoring logs for suspicious commands or file access attempts via the websocket API on port 1338 could help detect exploitation.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation for CVE-2026-7704 is to upgrade AV Stumpfl Pixera Two Media Server to version 25.2 R3 or later, as this version includes patches for the vulnerabilities.

Additional immediate steps include:

• Apply strict IP allow-listing to restrict access to the websocket API on port 1338.
• Avoid exposing sensitive APIs such as filesystem or system utilities to untrusted networks.
• Monitor network traffic and logs for suspicious activity related to port 1338.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-7704 includes vulnerabilities that allow unauthenticated attackers to execute arbitrary commands and read sensitive files on the affected Pixera Two Media Server. This can lead to unauthorized access to sensitive data, including potentially login hashes and system files.

Such unauthorized access and potential data exposure could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Organizations using affected versions prior to 25.2 R3 should upgrade immediately and apply recommended mitigations to reduce the risk of non-compliance due to data breaches or unauthorized system access.

Useful 0 Not Useful 0