Critical severityNVD Advisory· Published Jul 10, 2025· Updated Apr 15, 2026

CVE-2025-34101

Description

An unauthenticated command injection vulnerability exists in Serviio Media Server versions 1.4 through 1.8 on Windows, in the /rest/action API endpoint exposed by the console component (default port 23423). The checkStreamUrl method accepts a VIDEO parameter that is passed unsanitized to a call to cmd.exe, enabling arbitrary command execution under the privileges of the web server. No authentication is required to exploit this issue, as the REST API is exposed by default and lacks access controls.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

fortiguard.fortinet.com/encyclopedia/ips/44042nvd
packetstorm.news/files/id/142387nvd
raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/serviio_checkstreamurl_cmd_exec.rbnvd
vulncheck.com/advisories/serviio-media-server-unauthenticated-command-injectionnvd
www.exploit-db.com/exploits/42023nvd
www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5408.phpnvd

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.055
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000