Full Report
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed seven vulnerabilities in WWBN AVideo, four in MedDream, and one in an Eclipse ThreadX module.The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in WWBN AVideo, MedDream PACS Premium, and Eclipse ThreadX FileX
## CVE Details
- CVE ID: CVE-2025-46410, CVE-2025-53084, CVE-2025-50128, CVE-2025-36548, CVE-2025-41420, CVE-2025-25214, CVE-2025-48732 (WWBN AVideo); CVE-2025-26469, CVE-2025-27724, CVE-2025-32731, CVE-2025-24485 (MedDream); CVE-2024-2088 (Eclipse ThreadX)
- CVSS Score: Not rated in source, generally reflecting Medium to High risk based on impact (XSS, RCE potential).
- CWE: CWE-79 (XSS), CWE-362 (Race Condition), CWE-776 (Incomplete Blacklist/Improper Input Validation), CWE-284 (Improper Access Control), CWE-287 (Improper Authentication), CWE-918 (SSRF), CWE-121 (Buffer Overflow/Out of Bounds Write implied by integer underflow).
## Affected Systems
- Products: WWBN AVideo, MedDream PACS Premium, Eclipse ThreadX FileX
- Versions:
- WWBN AVideo: Version 14.4 and dev master commit 8a8954ff
- MedDream PACS Premium: Versions 7.3.3.840, 7.3.5.860
- Eclipse ThreadX FileX: git commit 1b85eb2
- Configurations: Varies by vulnerability (e.g., requires user interaction for XSS, file upload for RCE/Privilege Escalation).
## Vulnerability Description
This summary covers multiple disclosures across three products:
1. **WWBN AVideo (CVE-2025-46410 to -41420, -25214, -48732):** Includes five Cross-Site Scripting (XSS) vulnerabilities triggered via crafted HTTP requests requiring user interaction (visiting a malicious webpage). Additionally, a race condition leading to Arbitrary Code Execution (ACE) and an incomplete blacklist vulnerability allowing ACE via requesting a `.phar` file were found.
2. **MedDream PACS Premium (CVE-2025-26469, -27724, -32731, -24485):** Includes an Incorrect Default Permissions vulnerability allowing credential decryption via a crafted application, a Privilege Escalation vulnerability via uploading a malicious `.php` file in `login.php`, a Reflected XSS in `radiationDoseReport.php` via a crafted URL, and a Server-Side Request Forgery (SSRF) in `cecho.php` via an unauthenticated HTTP request.
3. **Eclipse ThreadX FileX (CVE-2024-2088):** A buffer overflow vulnerability exists in the FileX RAM disk driver functionality, potentially reachable by sending a sequence of crafted network packets, leading to code execution.
## Exploitation
- Status: Vendor advisories indicate patches are available, suggesting that exploitation status in the wild is likely minimal or unknown, but the focus shifts to remediation.
- Complexity: Ranges from Low (for unauthenticated SSRF/XSS) to Medium/High (for chained RCE via race condition or network packet sequence).
- Attack Vector: Predominantly Network (HTTP requests/packets) for WWBN and MedDream; Network Packets for Eclipse ThreadX.
## Impact
- Confidentiality: High (Credential theft via MedDream permission flaw, potential information disclosure from XSS).
- Integrity: High (Arbitrary Code Execution in WWBN AVideo, Privilege Escalation in MedDream).
- Availability: Medium to High (Potential denial of service or service disruption, especially if ACE leads to system compromise).
## Remediation
### Patches
Vendor patches are available for all reported vulnerabilities in adherence to the disclosure timeline. Users must apply the updates released by the respective vendors.
- **WWBN AVideo:** Patches available for version 14.4 and dev master commit 8a8954ff to resolve XSS, race condition, and blacklist issues.
- **MedDream PACS Premium:** Patches available for versions 7.3.3.840 and 7.3.5.860.
- **Eclipse ThreadX FileX:** Patches available addressing the buffer overflow in git commit 1b85eb2.
### Workarounds
The article implies remediation is complete via vendor patches. Specific official workarounds are not detailed, but general segmentation/access control should be implemented until patching is complete.
## Detection
- **Indicators of Compromise:**
- Unusual network traffic directed at MedDream endpoints (`login.php`, `radiationDoseReport.php`, `cecho.php`).
- Execution of `.phar` files in the WWBN AVideo environment.
- Any unexpected script execution context in browsers interacting with WWBN AVideo or MedDream.
- System/RTOS crash or unusual behavior corresponding to crafted network packets targeting ThreadX devices.
- **Detection methods and tools:**
- Download and apply the latest Snort rule sets for detection coverage.
- Monitor for non-standard user-agent strings or request patterns indicative of XSS payloads or file upload attempts against vulnerable APIs/endpoints.
## References
- Vendor advisories: Published by Cisco Talos (references to TALOS-2025-XXXXX and TALOS-2024-2088).
- Relevant links:
- Snort coverage download: hxxps://snort.org/
- Vulnerability Advisories: hxxps://talosintelligence.com/vulnerability_reports/