CVE-2025-25038

An OS command injection vulnerability exists in MiniDVBLinux version 5.4 and earlier. The system’s web-based management interface fails to properly sanitize user-supplied input before passing it to operating system commands. A remote unauthenticated attacker can exploit this vulnerability to execute arbitrary commands as the root user, potentially compromising the entire device. Exploitation evidence was observed by the Shadowserver Foundation on 2024-04-10 UTC.

CVSS

No CVSS.

References

Link	Resource
https://cxsecurity.com/issue/WLB-2022100039
https://packetstormsecurity.com/files/168744/
https://vulncheck.com/advisories/minidvblinux-command-injection
https://www.exploit-db.com/exploits/51096
https://www.fortiguard.com/encyclopedia/ips/52454
https://www.minidvblinux.de
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5717.php

Configurations

No configuration.

History

20 Nov 2025, 17:15

Type	Values Removed	Values Added
CWE	~~CWE-20~~
Summary	(en) An OS command injection vulnerability exists in MiniDVBLinux version 5.4 and earlier. The system’s web-based management interface fails to properly sanitize user-supplied input before passing it to operating system commands. A remote unauthenticated attacker can exploit this vulnerability to execute arbitrary commands as the root user, potentially compromising the entire device.	(en) An OS command injection vulnerability exists in MiniDVBLinux version 5.4 and earlier. The system’s web-based management interface fails to properly sanitize user-supplied input before passing it to operating system commands. A remote unauthenticated attacker can exploit this vulnerability to execute arbitrary commands as the root user, potentially compromising the entire device. Exploitation evidence was observed by the Shadowserver Foundation on 2024-04-10 UTC.

Information

Published : 2025-06-20 19:15

Updated : 2025-11-20 17:15

NVD link : CVE-2025-25038

Mitre link : CVE-2025-25038

CVE.ORG link : CVE-2025-25038

JSON object : View

Products Affected

No product.

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2025-25038", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-20T19:15:36.050", "references": [{"url": "https://cxsecurity.com/issue/WLB-2022100039", "source": "[email protected]"}, {"url": "https://packetstormsecurity.com/files/168744/", "source": "[email protected]"}, {"url": "https://vulncheck.com/advisories/minidvblinux-command-injection", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/51096", "source": "[email protected]"}, {"url": "https://www.fortiguard.com/encyclopedia/ips/52454", "source": "[email protected]"}, {"url": "https://www.minidvblinux.de", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5717.php", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "An OS command injection vulnerability exists in MiniDVBLinux version 5.4 and earlier. The system\u2019s web-based management interface fails to properly sanitize user-supplied input before passing it to operating system commands. A remote unauthenticated attacker can exploit this vulnerability to execute arbitrary commands as the root user, potentially compromising the entire device.\u00a0Exploitation evidence was observed by the Shadowserver Foundation on 2024-04-10 UTC."}, {"lang": "es", "value": "Existe una vulnerabilidad de inyecci\u00f3n de comandos en el sistema operativo MiniDVBLinux versi\u00f3n 5.4 y anteriores. La interfaz de administraci\u00f3n web del sistema no depura correctamente la entrada del usuario antes de pasarla a los comandos del sistema operativo. Un atacante remoto no autenticado puede explotar esta vulnerabilidad para ejecutar comandos arbitrarios como usuario root, lo que podr\u00eda comprometer todo el dispositivo."}], "lastModified": "2025-11-20T17:15:49.827", "sourceIdentifier": "[email protected]"}