MiniDVBLinux Root Command Injection

Advisories

severity: critical
date: June 20, 2025
Affecting: MiniDVBLinux <= 5.4
An affected version range remains undefined
CVE: CVE-2025-25038
CVE type: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: Shadowserver Exploitation Evidence
Zero Science Lab Disclosure (ZSL-2022-5717)
ExploitDB-51096
Credit: Gjoko Krstic of Zero Science
Description: An OS command injection vulnerability exists in MiniDVBLinux version 5.4 and earlier. The system’s web-based management interface fails to properly sanitize user-supplied input before passing it to operating system commands. A remote unauthenticated attacker can exploit this vulnerability to execute arbitrary commands as the root user, potentially compromising the entire device. Exploitation evidence was observed by the Shadowserver Foundation on 2024-04-10 UTC.
VulnCheck KEV: This advisory is in the VulnCheck KEV database