What is the CVSS score of EUVD-2025-18186?

EUVD-2025-18186 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of Media Server are affected by EUVD-2025-18186?

CVE-2025-49183 exposes unencrypted REST API communications, allowing attackers to intercept sensitive data and media files in transit.

How to fix or mitigate EUVD-2025-18186?

Within 24 hours: Inventory all systems using this REST API and assess data sensitivity; notify relevant stakeholders and document current exposure. Within 7 days: Implement network segmentation or WAF rules to restrict API access to trusted networks only; deploy SSL/TLS inspection at network perimeter. Within 30 days: Migrate API traffic to encrypted channels (HTTPS/TLS); conduct audit of accessed data during exposure window; evaluate vendor roadmap for patch availability.

Media Server EUVD-2025-18186

| CVE-2025-49183 HIGH

Cleartext Transmission of Sensitive Information (CWE-319)

2025-06-12 psirt@sick.de

Information Disclosure Media Server

7.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 21:20 euvd

EUVD-2025-18186

Analysis Generated

Mar 14, 2026 - 21:20 vuln.today

CVE Published

Jun 12, 2025 - 14:15 nvd

HIGH 7.5

DescriptionCVE.org

All communication with the REST API is unencrypted (HTTP), allowing an attacker to intercept traffic between an actor and the webserver. This leads to the possibility of information gathering and downloading media files.

AnalysisAI

CVE-2025-49183 is an unencrypted HTTP communication vulnerability in a REST API that exposes all traffic to network-level interception, allowing unauthenticated attackers to gather sensitive information and exfiltrate media files without authentication or user interaction required. The vulnerability affects systems using unencrypted REST API endpoints and carries a CVSS 7.5 score reflecting high confidentiality impact; real-world exploitation risk depends on network positioning and whether the affected API handles sensitive data or privileged operations.

Technical ContextAI

This vulnerability stems from CWE-319 (Cleartext Transmission of Sensitive Information), a protocol-level implementation flaw where API communication defaults to HTTP instead of enforcing HTTPS/TLS encryption. The root cause is the absence of transport-layer security controls, meaning all REST API payloads—including authentication credentials, API tokens, request/response bodies, and media file contents—traverse the network in plaintext. This affects any REST API framework or service (regardless of vendor) that fails to enforce secure transport. The vulnerability is particularly severe because REST APIs commonly transmit structured JSON/XML data containing PII, credentials, and business-critical information that becomes directly readable to any network observer (ARP spoofing, DNS hijacking, ISP-level monitoring, compromised network segments, or man-in-the-middle positioning).

RemediationAI

Immediate mitigations: (1) Enforce HTTPS/TLS for all REST API endpoints by redirecting HTTP traffic to HTTPS (HTTP 301/302), configuring reverse proxies (nginx, Apache) to enforce TLS, and disabling HTTP listeners entirely; (2) Implement HSTS (HTTP Strict-Transport-Security) headers with appropriate max-age to prevent downgrade attacks; (3) Use strong TLS 1.2+ with secure cipher suites (disable RC4, MD5, DES) and valid certificates from trusted CAs; (4) Network-level mitigation: isolate API endpoints to private networks, require VPN access, or use API gateways with TLS termination. Long-term: (1) Patch to vendor-supplied version that enforces HTTPS (specific versions not available from provided data—consult vendor advisory); (2) Implement certificate pinning in clients to prevent MITM via compromised CAs; (3) Add security.txt/security policy documentation; (4) Conduct security code review to ensure no other cleartext transmission vulnerabilities exist (database connections, inter-service communication, logging).

EUVD-2025-18186 vulnerability details – vuln.today

Back

Media Server EUVD-2025-18186

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code