AV Stumpfl Pixera Two Media Server Websocket API Code Injection Vulnerability Allowing Remote Code Execution

A code injection vulnerability has been identified in AV Stumpfl Pixera Two Media Server versions prior to 25.2 R3. The issue resides in an unknown function of the Websocket API component, allowing remote code execution. The vulnerability has been publicly disclosed and exploited. The recommended action is to upgrade to version 25.2 R3.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected media server, with commands executed as the 'av-stumpfl' user, who has Administrator privileges on the Windows server. This access could be used to manipulate files, mine cryptocurrency, and move laterally across connected networks.

Reproduction

The vulnerability can be reproduced by sending a WebSocket payload to the server's WebSocket API, which is accessible on port 1338 by default. The payload must include a 'Request' type, a sequence number, the address of the command to be executed (such as 'Utils.Redacted.redacted'), and the parameters for the command. This can be done using a WebSocket client or a script that interacts with the WebSocket API.

Remediation

Users are advised to upgrade to AV Stumpfl Pixera version 25.2 R3, released on October 14, 2025. In this version, Pixera introduced API allow-listing to limit API access, which should be configured carefully to restrict sensitive APIs. Additionally, strict IP whitelisting should be applied to ensure that the web panel and API are only accessible from trusted sources.