Serviio PRO 1.8 contains an improper access control flaw in its REST configuration API that allows an attacker to send crafted requests and modify the media browser administrative password without any form of authentication. Because the API endpoint accepts password change commands without verifying the caller, the vulnerability leaves the service susceptible to unauthorized takeover of administrative credentials, effectively granting configuration control and potential access to all media content. The weakness is classified as CWE‑306, improper neutralization of authentication and authorization controls, and can be leveraged to gain persistent privileged access. The impact is that an attacker can fully control the Serviio instance by resetting or stealing its administrator credentials, enabling further exploitation of the media server or lateral movement within the network.

The affected product is Serviio PRO version 1.8. No other versions or product variants are listed as impacted. Users running this specific version of the application are therefore exposed, regardless of their network environment or host configuration.

The CVSS base score of 8.7 indicates high severity, while the EPSS score of less than 1 % suggests a relatively low probability of exploitation in the wild. The vulnerability is not currently listed in the CISA KEV catalog, but publicly available proof‑of‑concept exploits and detailed advisories demonstrate that attack tools could be constructed. The likely attack vector is a remote network connection to the exposed REST API over HTTP or HTTPS; an attacker can trigger the password change by sending a specially crafted HTTP request without any authentication token. If successful, they can immediately assume administrative privileges, which may allow further compromise of the host or exploitation of other services.