CVE-2025-63953 – This CSRF vulnerability in Magewell Pro Convert... (How to Fix)

Q: What is the severity of CVE-2025-63953?

CVE-2025-63953 has a CVSS score of 6.5 (MEDIUM). This CSRF vulnerability in Magewell Pro Convert allows attackers to create arbitrary user accounts without authorization by tricking authenticated administrators into clicking malicious links. It affects Magewell Pro Convert version 1.2.213 installations with the vulnerable /usapi?method=add-user endpoint accessible.

📋 TL;DR

This CSRF vulnerability in Magewell Pro Convert allows attackers to create arbitrary user accounts without authorization by tricking authenticated administrators into clicking malicious links. It affects Magewell Pro Convert version 1.2.213 installations with the vulnerable /usapi?method=add-user endpoint accessible.

💻 Affected Systems

Products:

Magewell Pro Convert

Versions: v1.2.213

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the default configuration when the /usapi endpoint is accessible.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers create administrative accounts, gaining full control over the system, potentially leading to data theft, system compromise, or ransomware deployment.

🟠

Likely Case

Attackers create standard user accounts to establish persistence, conduct reconnaissance, or escalate privileges through other vulnerabilities.

🟢

If Mitigated

With proper CSRF protections, the attack fails, maintaining normal account creation controls through authorized administrative actions only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires tricking an authenticated administrator into clicking a malicious link or visiting a crafted webpage.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.magewell.com

Restart Required: No

Instructions:

Check Magewell website for security updates. If patch available, download and install following vendor instructions.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add anti-CSRF tokens to the /usapi endpoint to validate legitimate requests.

Restrict API Access

linux

Block external access to /usapi endpoint via firewall or web server configuration.

iptables -A INPUT -p tcp --dport [PORT] -m string --string "/usapi" --algo bm -j DROP

🧯 If You Can't Patch

Implement network segmentation to isolate Magewell Pro Convert from untrusted networks.
Require multi-factor authentication for administrative accounts to reduce CSRF effectiveness.

🔍 How to Verify

Check if Vulnerable:

Test if /usapi?method=add-user endpoint accepts GET requests without CSRF tokens when authenticated.

Check Version:

Check software version in application interface or configuration files.

Verify Fix Applied:

Verify that /usapi endpoint now requires POST with CSRF tokens or returns error for unauthorized requests.

📡 Detection & Monitoring

Log Indicators:

Unusual user account creation events
Multiple failed authentication attempts followed by successful account creation

Network Indicators:

GET requests to /usapi?method=add-user from unexpected sources

SIEM Query:

source="magewell.log" AND (uri="/usapi" AND method="add-user")

📊 Metadata

CVE ID: CVE-2025-63953

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CWE: CWE-352

EPSS Score: 0.03% exploit probability (6.9th percentile)

Published: November 24, 2025

Last Updated: December 30, 2025

🔗 References

https://github.com/iyadalkhatib98/My_CVES/tree/main/CVE-2025-63953 Exploit,Third Party Advisory,Mitigation
https://www.magewell.com Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63953, you might also want to check these: