Cyber Resilience

CVE-2025-25214

HighPublic PoC

Published: 24 July 2025

Published
24 July 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0122 79.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25214 is a high-severity Race Condition (CWE-362) vulnerability in Wwbn Avideo. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

A race condition vulnerability exists in the aVideoEncoder.json.php unzip functionality of WWBN AVideo version 14.4 and the development master commit 8a8954ff. The flaw, tracked as CWE-362, allows a series of specially crafted HTTP requests to trigger arbitrary code execution on the affected system. It carries a CVSS 3.1 base score of 8.8, reflecting network attack vector, low attack complexity, and low privileges required.

An authenticated attacker with low privileges can exploit the race condition by issuing concurrent or timed HTTP requests against the unzip endpoint. Successful exploitation grants the attacker the ability to execute arbitrary code, resulting in full compromise of confidentiality, integrity, and availability on the target server.

Public advisories published by Talos Intelligence at the referenced URLs describe the technical details of the issue in WWBN AVideo. The EPSS score remains low at 0.0122 with no material increase observed since disclosure.

EU & UK References

Vulnerability details

A race condition vulnerability exists in the aVideoEncoder.json.php unzip functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A series of specially crafted HTTP request can lead to arbitrary code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Race condition in web app unzip handler directly enables remote arbitrary code execution over HTTP by an authenticated user, matching exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33767Same product: Wwbn Avideo
CVE-2026-33038Same product: Wwbn Avideo
CVE-2026-41057Same product: Wwbn Avideo
CVE-2026-33479Same product: Wwbn Avideo
CVE-2026-34733Same product: Wwbn Avideo
CVE-2025-48732Same product: Wwbn Avideo
CVE-2026-28501Same product: Wwbn Avideo
CVE-2026-33292Same product: Wwbn Avideo
CVE-2026-41055Same product: Wwbn Avideo
CVE-2026-33716Same product: Wwbn Avideo

Affected Assets

wwbn
avideo
14.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly addresses the race condition vulnerability in aVideoEncoder.json.php by applying patches to prevent arbitrary code execution.

detect

Vulnerability monitoring and scanning identifies the presence of CVE-2025-25214 in AVideo installations, enabling timely patching.

prevent

Information input validation checks specially crafted HTTP requests to the unzip functionality, mitigating exploitation of the race condition.

References