Cyber Posture

CVE-2025-63213

CriticalPublic PoC

Published: 19 November 2025

Published
19 November 2025
Modified
15 January 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0050 66.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The QVidium Opera11 device (firmware version 2.9.0-Ax4x-opera11) is vulnerable to Remote Code Execution (RCE) due to improper input validation on the /cgi-bin/net_ping.cgi endpoint. An attacker can exploit this vulnerability by sending a specially crafted GET request with a malicious parameter…

more

to inject arbitrary commands. These commands are executed with root privileges, allowing attackers to gain full control over the device. This poses a significant security risk to any device running this software.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates the improper input validation flaw (CWE-20) in the /cgi-bin/net_ping.cgi endpoint that enables command injection and RCE.

SI-2 Flaw Remediation good match
preventrecover

Requires timely flaw remediation through firmware patching or updates to eliminate the specific RCE vulnerability in version 2.9.0-Ax4x-opera11.

SC-7 Boundary Protection partial match
prevent

Enforces network boundary protections such as firewalls or WAFs to block unauthorized remote access to the vulnerable CGI endpoint.

Security SummaryAI

CVE-2025-63213 is a critical Remote Code Execution (RCE) vulnerability in the QVidium Opera11 device running firmware version 2.9.0-Ax4x-opera11. It arises from improper input validation (CWE-20) in the /cgi-bin/net_ping.cgi endpoint, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Published on 2025-11-19, the flaw allows attackers to inject and execute arbitrary commands directly on the device.

An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By sending a specially crafted GET request with a malicious parameter to the vulnerable endpoint, the attacker triggers command injection executed with root privileges, resulting in full control over the device and significant security risks to affected systems.

Advisories and further details are available through referenced sources, including the vendor site at https://qvidium.tv/, a proof-of-concept repository at https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63213_QVidium%20Opera11%20RCE, and an analysis at https://undercodetesting.com/zero-day-vulnerabilities-discovered-in-qvidium-opera11-remote-code-execution-rce-exploit/. These provide exploit demonstrations but no specific patch or mitigation steps are detailed in the initial CVE description.

Details

CWE(s)
CWE-20

Affected Products

qvidium
opera11 firmware
2.9.0-ax4x-opera11

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Unauthenticated RCE via command injection in public-facing CGI endpoint (/cgi-bin/net_ping.cgi) directly enables T1190 (Exploit Public-Facing Application) and facilitates T1059.004 (Unix Shell) execution with root privileges.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References