A critical Remote Code Execution (RCE) vulnerability has been identified in the StreamVault video download integration solution. This flaw allows an authenticated administrator to inject and execute arbitrary commands on the underlying server by manipulating configuration settings, potentially leading to a complete system compromise, data theft, or further attacks on the internal network.

This vulnerability is a command injection flaw stemming from insufficient input validation. An attacker with administrative privileges on the StreamVault application can send a specially crafted HTTP POST request to the /admin/api/saveConfig endpoint. The request body can include malicious arguments for the yt-dlp utility, containing shell metacharacters (e.g., ;, |, &&, $(command)). The application saves these arguments without sanitization. When a video download is subsequently initiated, the YtDlpUtil.java class dynamically constructs a command-line string using the tainted arguments and executes it, allowing the attacker's injected commands to run with the permissions of the StreamVault application process on the server.

This vulnerability is rated as critical severity with a CVSS score of 9.9. Successful exploitation results in full Remote Code Execution (RCE) on the server hosting the StreamVault application. This can lead to a complete compromise of the system's confidentiality, integrity, and availability. Specific business risks include the exfiltration of sensitive data stored on the server, using the compromised machine as a pivot point for lateral movement into the broader corporate network, deployment of ransomware, or causing a complete denial of service. The potential for reputational damage and financial loss is significant.

Immediate Action: The primary remediation is to upgrade all affected StreamVault instances to version 251126 or later, as this version contains the patch that validates the configuration arguments. After patching, review web server and application logs for any signs of exploitation attempts that may have occurred prior to the upgrade.

Proactive Monitoring:

• Log Analysis: Scrutinize web server access logs for POST requests to the /admin/api/saveConfig endpoint. Inspect the request bodies for any shell metacharacters or suspicious commands.
• Process Monitoring: On the host server, monitor for unexpected child processes being spawned by the StreamVault Java application process (e.g., sh, bash, curl, wget, powershell.exe).
• Network Traffic: Monitor for anomalous outbound network connections from the StreamVault server, which could indicate communication with a command-and-control (C2) server or data exfiltration.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Use a Web Application Firewall (WAF) to filter requests to the /admin/api/saveConfig endpoint, blocking payloads that contain common command injection patterns and shell metacharacters.
• Strictly limit network access to the StreamVault administrative interface to only trusted IP addresses.
• Implement strict egress filtering on the server's firewall to block all outbound traffic except for what is explicitly required for application functionality.

Public Exploit Available: False

This vulnerability represents a critical and immediate threat to the security of any organization using the affected StreamVault products. We strongly recommend that all vulnerable instances be patched to version 251126 or later with the highest priority. Although exploitation requires administrative credentials, this prerequisite should not diminish the urgency, as credentials can be compromised through phishing, password reuse, or other attack vectors. While this CVE is not yet on the CISA KEV catalog, its critical impact makes it a prime candidate for future inclusion. Organizations must act preemptively to apply the patch, implement the recommended monitoring controls, and review access policies for the administrative interface to ensure it is adequately secured.