CVE-2025-25038

Name of the Vulnerable Software and Affected Versions MiniDVBLinux versions prior to 5.4

Description An OS command injection issue exists in the web-based management interface of MiniDVBLinux. The system does not properly sanitize user-supplied input before passing it to operating system commands. This allows a remote, unauthenticated attacker to execute arbitrary commands as the root user, potentially compromising the entire device. The Shadowserver Foundation observed exploitation evidence on 2024-04-10 UTC. The vulnerability allows for remote code execution via the injection of commands through the web interface. The vulnerable component fails to validate input received through the web interface before executing system commands. The system() function is likely involved in processing user input and executing commands.

Recommendations Versions prior to 5.4 should be updated. As a temporary workaround, consider disabling the web-based management interface until a patch is available. Restrict access to the web interface to trusted networks.