CVE-2025-34101 PUBLISHED

Serviio Media Server Unauthenticated Command Injection via checkStreamUrl VIDEO Parameter

Assigner: VulnCheck
Reserved: 15.04.2025 Published: 10.07.2025 Updated: 10.07.2025

An unauthenticated command injection vulnerability exists in Serviio Media Server versions 1.4 through 1.8 on Windows, in the /rest/action API endpoint exposed by the console component (default port 23423). The checkStreamUrl method accepts a VIDEO parameter that is passed unsanitized to a call to cmd.exe, enabling arbitrary command execution under the privileges of the web server. No authentication is required to exploit this issue, as the REST API is exposed by default and lacks access controls.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Serviio
Product	Media Server
Versions	Default: unaffected affected from 1.4 to 1.8 (incl.)

Credits

Gjoko Krstic of Zero Science Lab finder

References

Problem Types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE
CWE-306 Missing Authentication for Critical Function CWE
CWE-20 Improper Input Validation CWE

Impacts

CAPEC-88 OS Command Injection
CAPEC-137 Parameter Injection
CAPEC-115 Authentication Bypass