CVE-2025-25214
Published: 24 July 2025
Summary
CVE-2025-25214 is a high-severity Race Condition (CWE-362) vulnerability in Wwbn Avideo. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
A race condition vulnerability exists in the aVideoEncoder.json.php unzip functionality of WWBN AVideo version 14.4 and the development master commit 8a8954ff. The flaw, tracked as CWE-362, allows a series of specially crafted HTTP requests to trigger arbitrary code execution on the affected system. It carries a CVSS 3.1 base score of 8.8, reflecting network attack vector, low attack complexity, and low privileges required.
An authenticated attacker with low privileges can exploit the race condition by issuing concurrent or timed HTTP requests against the unzip endpoint. Successful exploitation grants the attacker the ability to execute arbitrary code, resulting in full compromise of confidentiality, integrity, and availability on the target server.
Public advisories published by Talos Intelligence at the referenced URLs describe the technical details of the issue in WWBN AVideo. The EPSS score remains low at 0.0122 with no material increase observed since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22534
Vulnerability details
A race condition vulnerability exists in the aVideoEncoder.json.php unzip functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A series of specially crafted HTTP request can lead to arbitrary code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Race condition in web app unzip handler directly enables remote arbitrary code execution over HTTP by an authenticated user, matching exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly addresses the race condition vulnerability in aVideoEncoder.json.php by applying patches to prevent arbitrary code execution.
Vulnerability monitoring and scanning identifies the presence of CVE-2025-25214 in AVideo installations, enabling timely patching.
Information input validation checks specially crafted HTTP requests to the unzip functionality, mitigating exploitation of the race condition.