Cyber Resilience

CVE-2025-48732

HighPublic PoC

Published: 24 July 2025

Published
24 July 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0340 87.7th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-48732 is a high-severity Incomplete List of Disallowed Inputs (CWE-184) vulnerability in Wwbn Avideo. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-48732 is an incomplete blacklist vulnerability in the sample .htaccess file shipped with WWBN AVideo version 14.4 and the development master branch at commit 8a8954ff. The flaw, tracked under CWE-184, permits an attacker to upload or request files with a .phar extension that should have been blocked, resulting in arbitrary code execution on the server.

An unauthenticated remote attacker can exploit the issue by sending a crafted HTTP request that references a malicious .phar file. Successful exploitation grants the ability to execute arbitrary code with the privileges of the web server process, corresponding to the reported CVSS 7.3 rating that reflects network attack vector, low complexity, and no required authentication or user interaction.

The referenced Talos Intelligence advisory (TALOS-2025-2213) provides the technical details of the finding; no separate patch or mitigation guidance is supplied in the available references. The associated EPSS score has remained flat at 0.0340 with no material increase observed since publication.

EU & UK References

Vulnerability details

An incomplete blacklist exists in the .htaccess sample of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to a arbitrary code execution. An attacker can request a .phar file to trigger this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote code execution via crafted request to public-facing web app due to incomplete input blacklist bypass.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33767Same product: Wwbn Avideo
CVE-2026-33038Same product: Wwbn Avideo
CVE-2026-41057Same product: Wwbn Avideo
CVE-2026-33479Same product: Wwbn Avideo
CVE-2026-34733Same product: Wwbn Avideo
CVE-2026-28501Same product: Wwbn Avideo
CVE-2026-33292Same product: Wwbn Avideo
CVE-2025-25214Same product: Wwbn Avideo
CVE-2026-41055Same product: Wwbn Avideo
CVE-2026-33716Same product: Wwbn Avideo

Affected Assets

wwbn
avideo
14.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the incomplete blacklist flaw in the .htaccess sample by applying patches or fixes to prevent arbitrary code execution via .phar files.

prevent

Enforces secure baseline configuration settings for web servers, including proper .htaccess blacklisting of dangerous file types like .phar to block exploitation.

prevent

Restricts unauthorized information inputs such as specially crafted HTTP requests for .phar files, directly countering the incomplete blacklist vulnerability.

References