CVE-2018-25310

The vulnerability is a cross-site request forgery (CSRF) flaw in the web management interface of VideoFlow Digital Video Protection (DVP) version 2.10. An authenticated attacker can craft a malicious request that, when processed by an administrative session, executes arbitrary system commands through the Tools > System > Shell interface. The root cause is the absence of CSRF protection in this functionality, allowing command injection without user interaction [1][3][4].

Exploitation requires valid credentials, as the attacker must be authenticated to the web interface. The default credentials (admin:admin, oper:oper, etc.) are well-known, making it trivial for an attacker who gains access to a network with a DVP device to authenticate and then craft a CSRF payload. The attack is network-based, requiring only that the victim admin visits a malicious page while logged into the DVP interface [3].

Successful exploitation grants root-level access to the underlying operating system (CentOS). Since DVP is used for live video broadcast protection, an attacker can disrupt video streams, exfiltrate data, or pivot to other network segment. The vulnerability affects multiple firmware versions, including the tested 1.40.0.15 and 2.10.0.5 [3][4].

As of the public disclosure dates (February 2018), no official patch was available. Mitigation includes changing default credentials, restricting network access to the management interface, and implementing generic CSRF defenses such as same-site cookies. The vulnerability is listed on Exploit-DB (EDB-ID 44387) and VulnCheck [3][4].