A remote code execution vulnerability exists in Kaltura versions prior to 11.1.0-2 due to unsafe deserialization of user-controlled data within the keditorservices module. An unauthenticated remote attacker can exploit this issue by sending a specially crafted serialized PHP object in the kdata GET parameter to the redirectWidgetCmd endpoint. Successful exploitation leads to execution of arbitrary PHP code in the context of the web server process.
Security readout for executives and security teams
Plain-English summary
This CVE describes an unauthenticated remote code execution flaw in older Kaltura Video Platform deployments. A vulnerable internet-facing instance could let an attacker run PHP code as the web server. Public exploit references exist, so exposed legacy systems should be treated as urgent until version and reachability are confirmed.
Executive priority
Prioritize this as critical for any exposed Kaltura deployment because exploitation could compromise the web server without authentication. If no Kaltura systems are present, document non-exposure and close after verification.
Technical view
The issue is PHP object injection caused by unsafe deserialization of user-controlled data in Kaltura's keditorservices module. Sources identify the kdata GET parameter on redirectWidgetCmd as the vulnerable input. Successful exploitation can lead to arbitrary PHP code execution under the web server process. Evidence points to versions before 11.1.0-2, but affected metadata is sparse.
Likely exposure
Risk is highest for self-hosted or managed Kaltura Video Platform instances older than 11.1.0-2, especially if publicly reachable. The bundle does not prove exposure for cloud-hosted Kaltura tenants or non-Kaltura products.
Exploitation context
The CVE is not listed as KEV in the bundle, and no source here confirms active exploitation. However, Rapid7 Metasploit and Exploit-DB references indicate public exploit material exists, increasing urgency for exposed legacy deployments.
Researcher notes
Do not assume active exploitation from public exploit listings alone. The affected-version evidence is based on the provided advisory description, while the structured affected field appears incomplete. Validate against vendor records and local deployment history before declaring scope.
Mitigation direction
Upgrade affected Kaltura deployments to 11.1.0-2 or later where applicable.
Check Kaltura vendor guidance for supported fixes and any deployment-specific workaround.
Restrict public access to vulnerable Kaltura endpoints until remediation is complete.
Review web server permissions for the Kaltura application account.
Monitor web and application logs for suspicious kdata parameter activity.
Validation and detection
Inventory all Kaltura Video Platform deployments and confirm exact installed versions.
Confirm whether any instance is reachable from the internet or untrusted networks.
Check whether keditorservices and redirectWidgetCmd are present on deployed systems.
Review logs for abnormal requests involving the kdata parameter.
Validate remediation by confirming the deployed version is 11.1.0-2 or newer.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-502: Code execution behavior lookup
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
5Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: yesTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-502 · source CWE mapping
Deserialization of Untrusted Data
Deserialization of Untrusted Data represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Improper Control of Generation of Code ('Code Injection')
Improper Control of Generation of Code ('Code Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.