CVE-2025-67737
📋 TL;DR
AzuraCast versions 0.23.1 expose an internal API endpoint intended for SFTPgo software to the public HTTP API. An attacker with knowledge of a station's SFTP username and internal filesystem structure can modify station database contents without authentication. This affects all AzuraCast installations running version 0.23.1.
💻 Affected Systems
- AzuraCast
📦 What is this software?
Azuracast by Azuracast
⚠️ Risk & Real-World Impact
Worst Case
Malicious modification of station database contents leading to service disruption, data corruption, or unauthorized content changes in radio broadcasts.
Likely Case
Targeted attacks by users with internal knowledge could alter station configurations or media files, potentially disrupting operations.
If Mitigated
With proper network segmentation and access controls, impact is limited to authorized users who already have SFTP access.
🎯 Exploit Status
Exploitation requires knowledge of SFTP station username and internal filesystem structure, limiting widespread abuse.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.23.2
Vendor Advisory: https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-9449-rphm-mjqr
Restart Required: Yes
Instructions:
1. Backup your AzuraCast installation and database. 2. Update to version 0.23.2 using the update script: `./docker.sh update-self && ./docker.sh update`. 3. Restart all services: `./docker.sh restart`. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict access to AzuraCast HTTP API endpoints to trusted networks only.
# Configure firewall rules to limit access to AzuraCast port (typically 80/443)
# Example: iptables -A INPUT -p tcp --dport 80 -s TRUSTED_NETWORK -j ACCEPT
# Example: iptables -A INPUT -p tcp --dport 80 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate AzuraCast from untrusted networks.
- Review and monitor SFTP user accounts and file system access patterns for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check AzuraCast version by running: `cat /var/azuracast/www/VERSION` or via web interface at /api/status. If version is 0.23.1, system is vulnerable.Check Version:
cat /var/azuracast/www/VERSIONVerify Fix Applied:
After updating, verify version shows 0.23.2 using same commands. Test that internal API endpoints are no longer accessible externally.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests to internal API endpoints
- Unexpected database modification attempts from non-SFTP sources
Network Indicators:
- HTTP requests to /api/internal/sftpgo/* endpoints from unauthorized sources
SIEM Query:
source="azuracast" AND (uri_path="/api/internal/sftpgo/*" AND src_ip NOT IN [trusted_networks])