CVE-2026-7704

Vulnerability

Overview

CVE-2026-7704 describes a path traversal vulnerability in AV Stumpfl Pixera Two Media Server versions up to 25.1 R2. The flaw resides in an unknown function accessible via service port 1338. Path traversal allows an attacker to read files outside the intended directory, potentially exposing sensitive configuration or system files. The vulnerability has been publicly disclosed, increasing the risk of exploitation [1][2].

Exploitation

An attacker with network access to the network can send crafted requests to port 1338, which is open by default. The exact manipulation required to trigger the path traversal is not detailed, but the disclosure indicates that the exploit is publicly available. No authentication is needed to exploit this issue, making it accessible to any network-level attacker [2].

Impact

Successful exploitation enables an attacker to read arbitrary files on the server. This could include credentials, configuration files, or other sensitive data. While this vulnerability alone does not provide remote code execution, it may be used in conjunction with other flaws to escalate an attack. The disclosure notes that multiple vulnerabilities exist in the same product, including a separate RCE issue [2].

Mitigation

AV Stumpfl has released version 25.2 R3, which fixes this vulnerability. The update introduces API allow-listing, restricting access to sensitive APIs by default. Users are strongly advised to upgrade to version 25.2 R3 or later. Additionally, applying strict IP whitelisting to limit access to the web panel and API from trusted sources can reduce the risk of exploitation [1][2].