### #WowzaStreamingEngine #RemoteCodeExecution #XSSVulnerabilities
Summary: Multiple vulnerabilities have been discovered in Wowza Streaming Engine, allowing remote attackers to gain complete control over affected systems. With approximately 18,500 servers exposed to the internet, organizations are urged to update to the latest version to mitigate risks.
Threat Actor: Unknown | unknown
Victim: Wowza Media Systems | Wowza Media Systems
Key Point :
- Severe vulnerabilities include unauthenticated stored XSS and authenticated remote code execution.
- Attackers could gain root or LocalSystem privileges, compromising server integrity.
- Wowza has released version 4.9.1 to address these vulnerabilities; users are strongly encouraged to update.
- Organizations using Wowza Streaming Engine should take immediate action to secure their systems.
- Rapid7’s research highlights the importance of proactive security measures in media services.
Ryan Emmons, Lead Security Researcher at Rapid7, has discovered multiple vulnerabilities in Wowza Streaming Engine, a popular media server software. The vulnerabilities could allow a remote attacker to gain complete control of affected systems.
Wowza Streaming Engine is used by many organizations for live stream broadcasts, video-on-demand, and other media services. According to Rapid7’s research, approximately 18,500 Wowza Streaming Engine servers are exposed to the public internet, making them potential targets for attackers.
The most severe vulnerability is an unauthenticated stored cross-site scripting (XSS) vulnerability that could allow an attacker to inject malicious code into the Wowza Streaming Engine Manager web dashboard. If an administrator views the poisoned dashboard, the attacker could exploit additional vulnerabilities to gain remote code execution on the server.
The attacker would then have root privileges on Linux systems and LocalSystem privileges on Windows systems, giving them complete control over the server.
The vulnerabilities have been assigned the following CVE identifiers:
- CVE-2024-52052 (CVSS 9.4): Authenticated remote code execution vulnerability
- CVE-2024-52053 (CVSS 8.7): Unauthenticated stored XSS vulnerability
- CVE-2024-52054 (CVSS 5.1): Authenticated arbitrary file write vulnerability
- CVE-2024-52055 (CVSS 8.2): Authenticated arbitrary file read vulnerability
- CVE-2024-52056 (CVSS 6.9): Authenticated arbitrary directory deletion vulnerability
Wowza has released version 4.9.1 of Wowza Streaming Engine to address these vulnerabilities. All users are strongly encouraged to update their systems as soon as possible.
Organizations that use Wowza Streaming Engine should take immediate action to mitigate these vulnerabilities and protect their systems from potential attacks.
In a statement, Wowza Media Systems said: “We at Wowza Media Systems are focused on security excellence, and by partnering with trusted researchers like Rapid7, we proactively respond to and fix vulnerabilities to safeguard our customers’ interests.”