CVE-2025-63213 — CRITICAL (9.8)

Vulnerability Description

The QVidium Opera11 device (firmware version 2.9.0-Ax4x-opera11) is vulnerable to Remote Code Execution (RCE) due to improper input validation on the /cgi-bin/net_ping.cgi endpoint. An attacker can exploit this vulnerability by sending a specially crafted GET request with a malicious parameter to inject arbitrary commands. These commands are executed with root privileges, allowing attackers to gain full control over the device. This poses a significant security risk to any device running this software.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Qvidium	Opera11 Firmware	2.9.0-ax4x-opera11
Qvidium	Opera11	-

Related Weaknesses (CWE)

CWE-20

References

https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-6321ExploitThird Party Advisory
https://qvidium.tv/Product
https://undercodetesting.com/zero-day-vulnerabilities-discovered-in-qvidium-operExploitThird Party Advisory
https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-6321ExploitThird Party Advisory

FAQ

What is CVE-2025-63213?

CVE-2025-63213 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The QVidium Opera11 device (firmware version 2.9.0-Ax4x-opera11) is vulnerable to Remote Code Execution (RCE) due to improper input validation on the /cgi-bin/net_ping.cgi endpoint. An attacker can ex...

How severe is CVE-2025-63213?

CVE-2025-63213 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2025-63213?

Check the references section above for vendor advisories and patch information. Affected products include: Qvidium Opera11 Firmware, Qvidium Opera11.