← Advisories

Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Code Execution

Critical

Advisory ID

ZSL-2017-5408

Release Date

03 May 2017

Vendor

Petr Nejedly, Six Lines Ltd - http://www.serviio.org

Affected Version

1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1

CVE

CVE-2025-34101

Tested On

Restlet-Framework/2.2, Windows 7, UPnP/1.0 DLNADOC/1.50, Serviio/1.8, Mac OS X, UPnP/1.0 DLNADOC/1.50, Serviio/1.8, Linux, UPnP/1.0 DLNADOC/1.50, Serviio/1.8

Summary

Serviio is a free media server. It allows you to stream your media files (music, video or images) to renderer devices (e.g. a TV set, Bluray player, games console or mobile phone) on your connected home network.

Description

The version of Serviio installed on the remote Windows host is affected by an unauthenticated remote code execution vulnerability due to improper access control enforcement of the Configuration REST API and unsanitized input when FFMPEGWrapper calls cmd.exe to execute system commands. A remote attacker can exploit this with a simple JSON request, gaining system access with SYSTEM privileges via a specially crafted request and escape sequence.

Proof of Concept

serviio_rce.pyTXT

Disclosure Timeline

12.12.2016Vulnerability discovered.

02.05.2017Vendor communicated via Beyond Security's SecuriTeam Secure Disclosure program.

Credits

Vulnerability discovered by Gjoko Krstic
High five to Piet van Hekke!

References

[1]https://blogs.securiteam.com/index.php/archives/3094

[2]https://www.exploit-db.com/exploits/41961/

[3]https://cxsecurity.com/issue/WLB-2017050024

[4]https://packetstormsecurity.com/files/142387