Description
An unauthenticated command injection vulnerability exists in Serviio Media Server versions 1.4 through 1.8 on Windows, in the /rest/action API endpoint exposed by the console component (default port 23423). The checkStreamUrl method accepts a VIDEO parameter that is passed unsanitized to a call to cmd.exe, enabling arbitrary command execution under the privileges of the web server. No authentication is required to exploit this issue, as the REST API is exposed by default and lacks access controls.
Published: 2025-07-10
Score: 9.3 Critical
EPSS: 3.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A command injection vulnerability (CWE-78), coupled with input validation failures (CWE-20) and missing authentication (CWE-306), exists in Serviio Media Server. The flaw allows an attacker to send crafted HTTP requests to the /rest/action endpoint, where a VIDEO parameter is passed unsanitized into a call to cmd.exe. This results in arbitrary command execution under the privileges of the web server process, giving the attacker full control over the affected Windows system and compromising confidentiality, integrity, and availability.

Affected Systems

Serviio Media Server versions 1.4 through 1.8 running on Windows are affected. The vulnerability is exposed on the default REST API port 23423 and does not require authentication because the console component lacks access controls.

Risk and Exploitability

The CVSS score of 9.3 indicates a severe risk, and the EPSS score of 3% reflects a low likelihood of exploitation. While not listed in CISA KEV, the lack of authentication and the prevalence of the exposed API mean attackers can remotely access the vulnerability by sending HTTP requests from any network location that can reach port 23423. The exploit path is straightforward: craft a VIDEO parameter containing malicious commands and submit via the REST API, resulting in code execution with web‑server privileges.

Generated by OpenCVE AI on June 18, 2026 at 06:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Serviio Media Server release that fixes the checkStreamUrl command injection flaw.
  • If a newer version is unavailable, block or filter outbound traffic to port 23423 using a firewall or network ACL to prevent unauthenticated API access.
  • Alternatively, disable the console component or configure the REST API to listen only on localhost to limit exposure.

Generated by OpenCVE AI on June 18, 2026 at 06:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21036 An unauthenticated command injection vulnerability exists in Serviio Media Server versions 1.4 through 1.8 on Windows, in the /rest/action API endpoint exposed by the console component (default port 23423). The checkStreamUrl method accepts a VIDEO parameter that is passed unsanitized to a call to cmd.exe, enabling arbitrary command execution under the privileges of the web server. No authentication is required to exploit this issue, as the REST API is exposed by default and lacks access controls.
History

Thu, 05 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Plex
Plex media Server Firmware
CPEs cpe:2.3:o:plex:media_server_firmware:*:*:*:*:*:*:*:*
Vendors & Products Plex
Plex media Server Firmware

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00727}

 epss

{'score': 0.00614}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00727}

Thu, 10 Jul 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 10 Jul 2025 19:30:00 +0000

Type Values Removed Values Added
Description An unauthenticated command injection vulnerability exists in Serviio Media Server versions 1.4 through 1.8 on Windows, in the /rest/action API endpoint exposed by the console component (default port 23423). The checkStreamUrl method accepts a VIDEO parameter that is passed unsanitized to a call to cmd.exe, enabling arbitrary command execution under the privileges of the web server. No authentication is required to exploit this issue, as the REST API is exposed by default and lacks access controls.
Title Serviio Media Server Unauthenticated Command Injection via checkStreamUrl VIDEO Parameter
Weaknesses CWE-20
CWE-306
CWE-78
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Plex Media Server Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-14T02:07:38.931Z

Reserved: 2025-04-15T19:15:22.556Z

Link: CVE-2025-34101

cve-icon Vulnrichment

Updated: 2025-07-10T20:25:05.488Z

cve-icon NVD

Status : Deferred

Published: 2025-07-10T20:15:25.877

Modified: 2026-06-17T09:13:28.033

Link: CVE-2025-34101

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T06:45:04Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-306

    Missing Authentication for Critical Function

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')