Cyber Resilience

CVE-2025-34436

HighPublic PoC

Published: 17 December 2025

Published
17 December 2025
Modified
19 December 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0038 29.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34436 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Wwbn Avideo. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-34436 is an insecure direct object reference (IDOR) vulnerability, classified under CWE-639, affecting AVideo versions prior to 20.1. The flaw exists in the platform's upload functionality, which authenticates users but fails to enforce ownership checks on target directories. This allows any authenticated user to upload files into directories belonging to other users. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation with low complexity.

An attacker with a low-privilege authenticated account (PR:L) can exploit this vulnerability over the network (AV:N) without user interaction. By manipulating object references in upload requests, they can place arbitrary files in other users' directories, potentially leading to high-impact confidentiality breaches (e.g., overwriting sensitive data), integrity violations (e.g., injecting malicious code), and availability disruptions (e.g., filling storage). No elevation beyond the initial privileges is required, as scope remains unchanged.

Advisories from sources like VulnCheck and Chocapikk detail the issue, while GitHub commits 4a53ab2056 and c279999cbd in the WWBN/AVideo repository provide fixes. Mitigation involves upgrading to AVideo version 20.1 or later, where ownership verification has been added to the upload process, preventing unauthorized directory access.

EU & UK References

Vulnerability details

AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

IDOR in public-facing AVideo upload functionality enables exploitation of a public-facing application (T1190) and facilitates uploading arbitrary files, including potential web shells (T1505.003), to unauthorized directories for code injection.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33297Same product: Wwbn Avideo
CVE-2025-34437Same product: Wwbn Avideo
CVE-2026-33647Same product: Wwbn Avideo
CVE-2026-33507Same product: Wwbn Avideo
CVE-2026-40909Same product: Wwbn Avideo
CVE-2025-34434Same product: Wwbn Avideo
CVE-2026-28502Same product: Wwbn Avideo
CVE-2025-25214Same product: Wwbn Avideo
CVE-2026-33292Same product: Wwbn Avideo
CVE-2026-41055Same product: Wwbn Avideo

Affected Assets

wwbn
avideo
≤ 20.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of approved access authorizations, directly preventing IDOR by requiring ownership verification before allowing file uploads to user directories.

prevent

SI-10 requires validation of information inputs such as manipulated directory references in upload requests to ensure they belong to the authenticated user.

prevent

AC-6 enforces least privilege, limiting authenticated users to access only their own directories and reducing the impact of missing ownership checks.

References