Cyber Resilience

CVE-2025-34434

CriticalPublic PoC

Published: 17 December 2025

Published
17 December 2025
Modified
19 December 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0042 32.9th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34434 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Wwbn Avideo. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-34434 is a missing authentication vulnerability (CWE-306) in AVideo versions prior to 20.1 when the ImageGallery plugin is enabled. The plugin's endpoints for managing gallery images fail to enforce authentication checks or validate ownership, enabling unauthenticated file upload and deletion for images associated with any image-based video. Published on 2025-12-17, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), indicating critical impact on integrity and availability.

Unauthenticated remote attackers can exploit the vulnerable endpoints over the network with low attack complexity and no user interaction required. Successful exploitation allows attackers to upload arbitrary images to any video's gallery or delete existing ones without ownership restrictions, potentially disrupting content availability or enabling further compromise through malicious file uploads.

Advisories from VulnCheck and ChocaPikk detail the issue, while AVideo repository commits 4a53ab2056 and c279999cbd provide the fixes. Mitigation requires upgrading to AVideo version 20.1 or later to address the authentication and validation deficiencies in the ImageGallery plugin.

EU & UK References

Vulnerability details

AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated attackers to upload…

more

or delete images associated with any image-based video.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Missing authentication enables unauthenticated exploitation of public-facing web application (T1190). Allows arbitrary image/file uploads, facilitating web shell deployment for persistence (T1505.003) and potential further compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33719Same product: Wwbn Avideo
CVE-2026-33038Same product: Wwbn Avideo
CVE-2026-34731Same product: Wwbn Avideo
CVE-2026-34732Same product: Wwbn Avideo
CVE-2026-33647Same product: Wwbn Avideo
CVE-2026-40909Same product: Wwbn Avideo
CVE-2026-33507Same product: Wwbn Avideo
CVE-2026-28502Same product: Wwbn Avideo
CVE-2025-34436Same product: Wwbn Avideo
CVE-2026-33297Same product: Wwbn Avideo

Affected Assets

wwbn
avideo
≤ 20.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification and documentation of actions permitted without authentication, preventing unauthenticated file upload and deletion on ImageGallery plugin endpoints.

prevent

Mandates enforcement of approved authorizations including authentication checks and ownership validation to block unauthorized access to gallery management functions.

prevent

Applies least privilege to ensure unauthenticated users have no access to upload or delete images associated with any video gallery.

References