Unauthenticated Remote Code Execution in AVideo by WWBN
CVE-2025-34433

9.3CRITICAL

Key Information:

Vendor

World Wide Broadcast Network

Status
Avideo
Vendor
CVE Published:
19 December 2025

What is CVE-2025-34433?

AVideo versions 14.3.1 and earlier than 20.1 are susceptible to an unauthenticated remote code execution issue. This vulnerability arises from a predictable installation salt generation, facilitated by the PHP uniqid() function. Attackers can exploit this flaw due to the exposure of the installation timestamp through a public endpoint. By leveraging unauthenticated API responses that include a hash identifier, a malicious actor can brute-force the salt's remaining entropy. Upon recovering the salt, the attacker can encrypt a harmful payload and send it to a notification API endpoint that processes attacker-controlled input, leading to the execution of arbitrary code on the server under the web server user’s privileges.

Affected Version(s)

AVideo 14.3.1 < 20.1

References

https://github.com/WWBN/AVideo/commit/4a53ab2
release-notes
https://github.com/WWBN/AVideo/commit/a2bdbff
patch
https://www.vulncheck.com/advisories/avideo-unauthenticat...
third-party-advisory

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Valentin Lobstein (Chocapikk)
JSON
.
CVE-2025-34433 : Unauthenticated Remote Code Execution in AVideo by WWBN