📄 Description (English)
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services. Commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 contains a patch.
🤖 AI Executive Summary
CVE-2026-33480 is a critical Server-Side Request Forgery (SSRF) vulnerability in WWBN AVideo versions up to 26.0 that allows unauthenticated attackers to bypass URL validation using IPv4-mapped IPv6 addresses. The vulnerable `plugin/LiveLinks/proxy.php` endpoint can be exploited to access cloud metadata services, internal networks, and localhost services, potentially leading to credential theft, lateral movement, and system compromise. An exploit is publicly available, making this an immediate threat requiring urgent patching.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 24, 2026 00:38
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using WWBN AVideo for video streaming, content delivery, or internal communications face critical risk. Most impacted sectors: (1) Government agencies and ministries using AVideo for internal communications and training platforms; (2) Educational institutions (universities, TVTC) hosting video content; (3) Media and broadcasting companies; (4) Telecommunications providers (STC, Mobily, Zain) using AVideo for content delivery; (5) Healthcare organizations using video conferencing. The SSRF vulnerability enables attackers to access internal ARAMCO networks, SAMA banking infrastructure, NCA government systems, and cloud metadata services (AWS, Azure) hosting sensitive Saudi data. Attackers could extract credentials, access internal APIs, and pivot to critical infrastructure.
🏢 Affected Saudi Sectors
Government and Public Administration
Education and Universities
Healthcare and Hospitals
Banking and Financial Services
Telecommunications
Media and Broadcasting
Energy and Utilities
Defense and Security
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application (unauthenticated proxy.php endpoint)
T1498 - Network Denial of Service (potential DoS via metadata service abuse)
T1557 - Man-in-the-Middle (SSRF to intercept internal communications)
T1583 - Acquire Infrastructure (reconnaissance of internal networks)
T1589 - Gather Victim Identity Information (extract credentials from metadata)
T1592 - Gather Victim Host Information (cloud metadata enumeration)
T1040 - Network Sniffing (SSRF to access internal network traffic)
T1021 - Remote Services (lateral movement via SSRF)
T1526 - Cloud Service Discovery (AWS/Azure metadata service access)
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all instances of WWBN AVideo in your environment (versions ≤26.0) using network scanning and asset inventory tools
2. Disable or restrict access to `plugin/LiveLinks/proxy.php` endpoint immediately via WAF rules or network ACLs
3. Implement IP-based access controls limiting proxy.php to authorized internal users only
4. Monitor logs for suspicious requests to proxy.php with IPv6 addresses or unusual URL patterns
PATCHING:
1. Update WWBN AVideo to version 26.1 or later (apply commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373)
2. Test patches in non-production environment first
3. Verify the patched `isSSRFSafeURL()` function properly rejects IPv4-mapped IPv6 addresses
COMPENSATING CONTROLS (if immediate patching not possible):
1. Deploy WAF rules blocking requests containing `::ffff:` patterns
2. Implement egress filtering to prevent curl requests to 127.0.0.1, 169.254.169.254 (AWS metadata), and internal IP ranges
3. Use network segmentation to isolate AVideo servers from sensitive internal systems
4. Disable curl/external URL fetching in AVideo if not required
DETECTION:
1. Monitor for HTTP requests to proxy.php with IPv6 addresses in URL parameters
2. Alert on curl requests from AVideo process to localhost (127.0.0.1) or cloud metadata IPs (169.254.169.254)
3. Log all proxy.php access attempts and review for suspicious patterns
4. Implement IDS/IPS signatures detecting IPv4-mapped IPv6 SSRF attempts
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع حالات WWBN AVideo في بيئتك (الإصدارات ≤26.0) باستخدام أدوات المسح الشبكي وجرد الأصول
2. عطّل أو قيّد الوصول إلى نقطة النهاية `plugin/LiveLinks/proxy.php` فوراً عبر قواعد WAF أو قوائم التحكم في الوصول للشبكة
3. طبّق عناصر تحكم الوصول المستندة إلى IP لتقييد proxy.php للمستخدمين الداخليين المصرح لهم فقط
4. راقب السجلات للطلبات المريبة إلى proxy.php بعناوين IPv6 أو أنماط عناوين URL غير المعتادة
التصحيح:
1. حدّث WWBN AVideo إلى الإصدار 26.1 أو أحدث (طبّق commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373)
2. اختبر التصحيحات في بيئة غير الإنتاج أولاً
3. تحقق من أن دالة `isSSRFSafeURL()` المصححة ترفض بشكل صحيح عناوين IPv6 المعينة لـ IPv4
عناصر التحكم البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. نشّر قواعد WAF تحجب الطلبات التي تحتوي على أنماط `::ffff:`
2. طبّق تصفية الخروج لمنع طلبات curl إلى 127.0.0.1 و169.254.169.254 (بيانات تعريف AWS) والنطاقات الداخلية
3. استخدم تقسيم الشبكة لعزل خوادم AVideo عن الأنظمة الداخلية الحساسة
4. عطّل جلب curl/URL الخارجي في AVideo إذا لم يكن مطلوباً
الكشف:
1. راقب طلبات HTTP إلى proxy.php بعناوين IPv6 في معاملات URL
2. أصدر تنبيهات لطلبات curl من عملية AVideo إلى localhost (127.0.0.1) أو عناوين IP بيانات التعريف السحابية (169.254.169.254)
3. سجّل جميع محاولات الوصول إلى proxy.php وراجع الأنماط المريبة
4. طبّق توقيعات IDS/IPS للكشف عن محاولات SSRF المعينة لـ IPv6 المعينة لـ IPv4
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for supplier relationships (AVideo vendor security)
ECC 2024 A.14.2.5 - Addressing information security in supplier agreements
ECC 2024 A.8.1.1 - User endpoint devices (securing AVideo deployments)
ECC 2024 A.8.2.1 - Privileged access rights (proxy.php access control)
ECC 2024 A.13.1.3 - Segregation of networks (network segmentation for AVideo)
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Asset Management (inventory AVideo instances)
SAMA CSF PR.AC-1 - Access Control Policy (restrict proxy.php access)
SAMA CSF PR.DS-2 - Data Security (prevent metadata service access)
SAMA CSF DE.CM-1 - Detection and Analysis (monitor SSRF attempts)
SAMA CSF RS.MI-2 - Incident Response (contain SSRF exploitation)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.23 - Information security for supplier relationships
ISO 27001:2022 A.8.1 - User endpoint device security
ISO 27001:2022 A.8.2 - Privileged access rights
ISO 27001:2022 A.8.3 - Information access restriction
ISO 27001:2022 A.13.1 - Network security
ISO 27001:2022 A.14.2 - Supplier security assessment
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security patches and updates (patch AVideo)
PCI DSS 6.5.1 - Injection flaws (SSRF is injection vulnerability)
PCI DSS 1.3 - Network segmentation (isolate AVideo from payment systems)
PCI DSS 2.2.4 - Configure system security parameters (disable unnecessary services)
📦 Affected Products / CPE 1 entries
wwbn:avideo