{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/tinyice/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["tinyice"],"_cs_severities":["high"],"_cs_tags":["webrtc","stream-injection","missing-authentication"],"_cs_type":"advisory","_cs_vendors":["DatanoiseTV"],"content_html":"\u003cp\u003eTinyIce, a lightweight streaming server, contains a vulnerability that allows unauthenticated users to inject streams into existing mounts. The vulnerability, present in versions 0.8.95 through 2.4.1, stems from a missing authentication check on the \u003ccode\u003e/webrtc/source-offer\u003c/code\u003e endpoint. Introduced on 2026-02-21, this flaw enables attackers to bypass the intended source password protection and inject arbitrary audio/video content into live broadcasts. This poses a significant threat to the integrity of broadcasts, as attackers can replace legitimate content with malicious or disruptive material. Patched in version 2.5.0, this vulnerability (CVE-2026-45327) requires immediate attention from TinyIce users to prevent potential broadcast hijacking.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a target mount point on a TinyIce server. Mount names are often public, appearing in directory listings, player URLs, and YP listings.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SDP (Session Description Protocol) offer for a WebRTC connection.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP POST request to the \u003ccode\u003e/webrtc/source-offer\u003c/code\u003e endpoint, including the target mount point as a query parameter (\u003ccode\u003e?mount=\u0026lt;mount\u0026gt;\u003c/code\u003e) and the malicious SDP offer in the request body.\u003c/li\u003e\n\u003cli\u003eThe vulnerable TinyIce server, lacking authentication, processes the malicious SDP offer via \u003ccode\u003eWebRTCManager.HandleSourceOffer\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server establishes a WebRTC peer connection with the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker publishes arbitrary audio (Opus) and video (H.264) tracks via the established WebRTC connection.\u003c/li\u003e\n\u003cli\u003eThe TinyIce server broadcasts the attacker\u0026rsquo;s injected audio/video content to all listeners subscribed to the target mount point.\u003c/li\u003e\n\u003cli\u003eListeners receive the attacker\u0026rsquo;s injected stream instead of the legitimate source\u0026rsquo;s content, resulting in a broadcast hijack.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to inject arbitrary audio and video content into live broadcasts, effectively hijacking the stream. This can be used to broadcast silence, disruptive noise, malicious content, or competitor branding. While the legitimate publisher can attempt to re-establish their session, the attacker can immediately reconnect, leading to a sustained broadcast hijack until manual intervention occurs. The CVSS 3.1 base score is 7.4 (High), emphasizing the potential for significant integrity impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade TinyIce to version 2.5.0 or later to apply the patch that fixes CVE-2026-45327.\u003c/li\u003e\n\u003cli\u003eImplement the workaround by blocking \u003ccode\u003ePOST /webrtc/source-offer\u003c/code\u003e at the reverse proxy to prevent unauthorized access to the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect TinyIce WebRTC Unauthenticated SDP Offer\u0026rdquo; to identify potential exploitation attempts in webserver logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect TinyIce Authentication Failure for WebRTC Source\u0026rdquo; to monitor for failed authentication attempts after patching or applying workarounds.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T17:21:12Z","date_published":"2026-05-18T17:21:12Z","id":"https://feed.craftedsignal.io/briefs/2026-05-tinyice-webrtc-injection/","summary":"TinyIce versions 0.8.95 through 2.4.1 are vulnerable to unauthenticated stream injection due to a missing authentication check on the WebRTC ingest endpoint (/webrtc/source-offer), allowing a network attacker to hijack broadcasts by publishing arbitrary audio/video to a target mount, replacing the legitimate source's content; patched in version 2.5.0 (CVE-2026-45327).","title":"TinyIce Unauthenticated WebRTC Stream Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-tinyice-webrtc-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Tinyice","version":"https://jsonfeed.org/version/1.1"}