{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/wwbn-avideo/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["critical"],"_cs_tags":["avideo","rce","command-injection","web-application","linux"],"_cs_type":"advisory","_cs_vendors":["WWBN AVideo"],"content_html":"\u003cp\u003eWWBN AVideo, an open-source video platform, is vulnerable to remote command execution (RCE) in versions up to and including 26.0. The vulnerability lies in the restreamer endpoint, where the application constructs a log file path by embedding unsanitized \u003ccode\u003eusers_id\u003c/code\u003e and \u003ccode\u003eliveTransmitionHistory_id\u003c/code\u003e values derived from the JSON request body. These attacker-controlled values are then directly concatenated into shell commands, which are subsequently executed using the \u003ccode\u003eexec()\u003c/code\u003e function. This allows an authenticated attacker to inject shell metacharacters such as \u003ccode\u003e$()\u003c/code\u003e or backticks, leading to arbitrary command execution on the server. This vulnerability allows complete compromise of the AVideo server. The patch is available in commit 99b865413172045fef6a98b5e9bfc7b24da11678.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker sends a crafted POST request to the \u003ccode\u003e/restreamer\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker injects shell metacharacters (e.g., \u003ccode\u003e$()\u003c/code\u003e, backticks) into the \u003ccode\u003eusers_id\u003c/code\u003e and/or \u003ccode\u003eliveTransmitionHistory_id\u003c/code\u003e parameters within the JSON request body.\u003c/li\u003e\n\u003cli\u003eThe AVideo application receives the request and constructs a log file path using the unsanitized input.\u003c/li\u003e\n\u003cli\u003eThe application concatenates the malicious log file path into a shell command string.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eexec()\u003c/code\u003e function executes the crafted shell command on the server.\u003c/li\u003e\n\u003cli\u003eThe injected shell metacharacters trigger the execution of arbitrary commands on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution, potentially leading to system compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker can then install malware, exfiltrate data, or pivot to other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the AVideo server. This can lead to complete system compromise, including data theft, malware installation, and denial of service. The specific number of affected AVideo instances is unknown, but given its open-source nature, the potential impact is significant if unpatched instances are exposed to the internet. This could affect any organization that uses AVideo as a video platform.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade AVideo installations to a patched version that includes commit 99b865413172045fef6a98b5e9bfc7b24da11678 to remediate CVE-2026-33648.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003e/restreamer\u003c/code\u003e endpoint to prevent shell metacharacter injection, mitigating CVE-2026-33648.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AVideo Restreamer RCE Attempt\u003c/code\u003e to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/restreamer\u003c/code\u003e containing shell metacharacters in the request body to identify potential exploitation attempts, helping to mitigate CVE-2026-33648.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-30-avideo-rce/","summary":"AVideo versions up to 26.0 are vulnerable to remote code execution due to unsanitized user-controlled input in the restreamer endpoint that is passed to shell commands.","title":"AVideo Restreamer Endpoint Vulnerability Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-30-avideo-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - WWBN AVideo","version":"https://jsonfeed.org/version/1.1"}