A critical RCE vulnerability has been fixed in the Russian video conferencing system VINTEO. The issue was caused by a feature in the implementation of a component that had insufficient filtering of user data.
The VINTEO video conferencing server is designed for building new VCS infrastructure and scaling existing networks. According to the manufacturer, VINTEO solutions have facilitated approximately 10 million video conferences over the past 12 years.
The issue was assigned the identifier BDU:2025-07296 (9.3 points on the CVSS scale) and was discovered in January 2025 by Positive Technologies specialists Mikhail Klyuchnikov and Alexander Starikov during a code analysis of the software on a test environment provided by VINTEO for research purposes.
It has been reported that the manufacturer was notified of the threat and promptly released a patch for their clients, completely resolving the issue. Subsequently, a comprehensive software update with the fix was prepared.
“In the event of a successful exploitation of the vulnerability, a potential attacker could execute arbitrary commands and gain access to the server and control over it. Subsequent attack scenarios could vary greatly,” comments Mikhail Klyuchnikov, Head of the Software Research Group in the Penetration Testing Department at Positive Technologies.
A vulnerability fixed in the new release was present in VINTEO 30.0.0, and users are now advised to install version 30.2.0 or newer as soon as possible.