Overview
CVE-2025-63952 details a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Magewell Pro Convert device, specifically affecting version 1.2.213. This vulnerability resides in the /mwapi?method=add-user component and allows a remote attacker to arbitrarily create user accounts on the device. Due to the lack of proper CSRF protection, a malicious actor can craft a GET request that, when triggered by an authenticated user, will create a new account without the user’s knowledge or consent.
Technical Details
The vulnerability stems from the absence of CSRF tokens or other sufficient protections on the /mwapi?method=add-user endpoint. An attacker can craft a malicious HTML page containing a request (e.g., an image tag or a form with automatically submitted GET parameters) that, when visited by a logged-in user of the Magewell Pro Convert device, will trigger the creation of a new user account. The crafted request can specify the username and password for the newly created account, allowing the attacker to gain unauthorized access to the device’s management interface.
The vulnerable endpoint does not validate that the request originated from a legitimate user action within the Magewell Pro Convert interface. Consequently, any request to /mwapi?method=add-user, including those originating from external, attacker-controlled websites, will be processed.
CVSS Analysis
Currently, the CVSS score for CVE-2025-63952 is marked as N/A. This indicates that a CVSS score has not yet been formally assigned. However, given the potential impact of arbitrary account creation, it’s likely to receive a medium to high severity score once assessed. The lack of user interaction required after the initial lure and potential for privilege escalation contribute to a heightened risk profile.
Possible Impact
The exploitation of this CSRF vulnerability can have significant consequences:
- Unauthorized Access: Attackers can create administrative accounts, granting them full control over the Magewell Pro Convert device.
- Device Compromise: With administrative access, attackers can modify device settings, intercept video streams, or use the device as a pivot point for further network attacks.
- Data Breach: Sensitive data transmitted through the Magewell Pro Convert device could be intercepted and compromised.
- Denial of Service: Attackers could disable or disrupt the device’s functionality, leading to a denial-of-service condition.
Mitigation or Patch Steps
To mitigate the risk posed by CVE-2025-63952, the following steps are recommended:
- Apply the Latest Firmware Update: Magewell should release a firmware update that includes proper CSRF protection for the
/mwapi?method=add-userendpoint. Apply this update as soon as it becomes available. Check Magewell’s official website for updates. - Implement CSRF Tokens: Magewell should implement CSRF tokens in all relevant forms and API endpoints.
- Restrict Access: Limit access to the Magewell Pro Convert management interface to authorized personnel only.
- Monitor Network Traffic: Monitor network traffic for suspicious activity, such as unauthorized account creation attempts.
- Web Application Firewall (WAF): Consider deploying a Web Application Firewall (WAF) to detect and block malicious requests targeting the
/mwapi?method=add-userendpoint. - Educate Users: Educate users about the risks of CSRF attacks and advise them to be cautious when clicking links or visiting websites from untrusted sources.
