CVE-2025-25038 - Vulnerability Details

- MiniDVBLinux Root Command Injection

Description

An OS command injection vulnerability exists in MiniDVBLinux version 5.4 and earlier. The system’s web-based management interface fails to properly sanitize user-supplied input before passing it to operating system commands. A remote unauthenticated attacker can exploit this vulnerability to execute arbitrary commands as the root user, potentially compromising the entire device. Exploitation evidence was observed by the Shadowserver Foundation on 2024-04-10 UTC.

Published: 2025-06-20

Score: 9.3 Critical

EPSS: 29.2% Moderate

KEV: No

Impact:

Action:

Analysis

Impact

An OS command injection flaw in MiniDVBLinux allows a remote, unauthenticated attacker to supply unsanitized input that is passed directly to the system shell. Because the web‑based management interface executes commands with root privileges, the vulnerability gives full control over the device, including modifying configurations, installing backdoors, or disabling services. The weakness corresponds to CWE‑78 and can lead to complete compromise of the target.

Affected Systems

MiniDVBLinux devices running version 5.4 or earlier are affected. The vulnerability exists in the publicly accessible web management interface of all affected installations, regardless of network placement. No specific vendor folder other than MiniDVBLinux.

Risk and Exploitability

The flaw carries a CVSS score of 9.3 and an EPSS of 29 %, indicating both high severity and a relatively high likelihood of exploitation. The attack can be carried out from any network connected to the management interface without authentication, enabling the execution of arbitrary commands as root. Because the vulnerability is already public and has been used in the wild, the risk is immediate and significant; the addition of the 29 % EPSS score further emphasizes that exploitation is expected to occur soon.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MiniDVBLinux

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.4

Configuration 1 [-]

cpe:2.3:a:minidvblinux:minidvblinux:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the device firmware to a version newer than 5.4, or apply the vendor’s patch if available.
Restrict the web management interface to a trusted internal subnet or VPN, and block all external access unless necessary.
Enable logging and monitoring of shell command execution, and set up alerts for unexpected root activity.

Generated by OpenCVE AI on April 28, 2026 at 01:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-18780	An OS command injection vulnerability exists in MiniDVBLinux version 5.4 and earlier. The system’s web-based management interface fails to properly sanitize user-supplied input before passing it to operating system commands. A remote unauthenticated attacker can exploit this vulnerability to execute arbitrary commands as the root user, potentially compromising the entire device.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.29206.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://cxsecurity.com/issue/WLB-2022100039
https://packetstormsecurity.com/files/168744/
https://vulncheck.com/advisories/minidvblinux-command-injection
https://www.exploit-db.com/exploits/51096
https://www.fortiguard.com/encyclopedia/ips/52454
https://www.minidvblinux.de
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5717.php

History

Mon, 22 Dec 2025 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Minidvblinux Minidvblinux minidvblinux
CPEs		cpe:2.3:a:minidvblinux:minidvblinux::::::::
Vendors & Products		Minidvblinux Minidvblinux minidvblinux
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 20 Nov 2025 17:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-20

Thu, 20 Nov 2025 16:30:00 +0000

Type	Values Removed	Values Added
Description	An OS command injection vulnerability exists in MiniDVBLinux version 5.4 and earlier. The system’s web-based management interface fails to properly sanitize user-supplied input before passing it to operating system commands. A remote unauthenticated attacker can exploit this vulnerability to execute arbitrary commands as the root user, potentially compromising the entire device.	An OS command injection vulnerability exists in MiniDVBLinux version 5.4 and earlier. The system’s web-based management interface fails to properly sanitize user-supplied input before passing it to operating system commands. A remote unauthenticated attacker can exploit this vulnerability to execute arbitrary commands as the root user, potentially compromising the entire device. Exploitation evidence was observed by the Shadowserver Foundation on 2024-04-10 UTC.

Mon, 23 Jun 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 20 Jun 2025 19:00:00 +0000

Type	Values Removed	Values Added
Description		An OS command injection vulnerability exists in MiniDVBLinux version 5.4 and earlier. The system’s web-based management interface fails to properly sanitize user-supplied input before passing it to operating system commands. A remote unauthenticated attacker can exploit this vulnerability to execute arbitrary commands as the root user, potentially compromising the entire device.
Title		MiniDVBLinux Root Command Injection
Weaknesses		CWE-20 CWE-78
References		https://cxsecurity.com/issue/WLB-2022100039 https://packetstormsecurity.com/files/168744/ https://vulncheck.com/advisories/minidvblinux-command-injection https://www.exploit-db.com/exploits/51096 https://www.fortiguard.com/encyclopedia/ips/52454 https://www.minidvblinux.de https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5717.php
Metrics		cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Minidvblinux Minidvblinux

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2025-06-20T18:36:09.946Z

Updated: 2026-04-07T14:08:59.643Z

Reserved: 2025-01-31T18:32:36.214Z

Link: CVE-2025-25038

Vulnrichment

Updated: 2025-06-23T20:34:25.969Z

NVD

Status : Analyzed

Published: 2025-06-20T19:15:36.050

Modified: 2025-12-22T17:46:41.027

Link: CVE-2025-25038

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T01:30:17Z

Weaknesses

CWE-78

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object