by Troy Wilson, Sentinel Exploitation Analyst

Sentinel’s penetration testing team recently identified and disclosed a vulnerability - tracked as CVE-2025-25504 - in Gefen AV over IP devices. This vulnerability allows unauthenticated attackers to gain privileged access to the host and could be used to conduct further attacks against the network.

This post outlines how the vulnerability was discovered and what organizations can do to protect themselves. The original blog post disclosing this vulnerability can be found here.

Discovery of CVE-2025-25504

During an internal penetration test on one of our customer's networks, Sentinel penetration tester Troy Wilson was evaluating a network appliance when they uncovered a previously unknown flaw in the Gefen AV over IP products. The penetration tester found that it was possible to obtain root access to both Gefen Senders and Gefen Receivers without requiring any credentials.

This access could allow an attacker to perform actions such as:

• Attempt lateral movement by retrieving sensitive device configuration
• Create a denial-of-service (DoS) scenario by triggering system reboots
• Use the device to obtain persistence in the network
• Launch attacks against the internal network using the device as a proxy

Because these types of devices do not support common antivirus or EDR solutions, this activity may go unnoticed, giving a threat actor the ability to remain in the environment unnoticed. Due to the limited number of devices able to be tested, it is unclear which versions are vulnerable to CVE-2025-25504, but the known versions are:

Technical Details

CVE-2025-25504 is a vulnerability in Gefen AV over IP devices that provides access to a shell running as root. This is due to a script on the devices named jncs.sh which is executed by services running under the context of the root user. The contents of this script can be seen below:

The two scripts that call jncs.sh are link_mgrc.sh and link_mgrh.sh – both located in the /local/bin directory. None of the public documentation from Gefen provides insight into these scripts or the code within them, but they appear to be used to perform changes on peer devices by syncing across configuration files.

Anyone with network access to the device can connect to port 4444/TCP to obtain a root shell, granting full control over the device. Connections can be made with any utility capable of binding to an open port, including using netcat:

Who Is Affected?

Organizations with Gefen AV over IP devices are at risk, particularly if the management interface is accessible from untrusted networks. Devices left exposed to the internet or poorly segmented from internal users are especially vulnerable.

At the time of publication, no patch or official mitigation has been released by the vendor, so patching is not currently an option. This blog will be updated if new information about a patched version becomes available.

Sentinel’s Process

Identifying risks like CVE-2025-25504 is only part of how Sentinel protects our clients. Our services go beyond vulnerability discovery to include in-depth penetration tests and remediation guidance - helping organizations stay secure in an ever-changing threat landscape.

At Sentinel, we are committed to responsible vulnerability disclosure. Upon identifying CVE-2025-25504, our team privately notified the vendor and provided a detailed technical report to assist in understanding and addressing the issue.

Despite multiple outreach attempts, the vendor has not responded or released a patch for this vulnerability. To help organizations protect themselves, Sentinel has published technical details and recommended mitigations publicly, while continuing to encourage the vendor to address the issue.

Our goal in disclosing these findings is to raise awareness and empower the security community and affected organizations to take appropriate steps to reduce risk in the absence of a vendor-supplied fix.

Recommendations to Customers

Until a vendor patch is made available, organizations using Gefen AV over IP devices should take the following precautions:

• Assess device exposure: Identify any Gefen AV over IP devices that are exposed to broader internal networks or the internet.
• Restrict network access: Limit connectivity to affected devices by implementing strict network segmentation and firewall rules to limit access to the web portal or port 4444/TCP.
• Monitor for suspicious activity: Regularly review network and device logs for unusual connections, particularly traffic to 4444/TCP from a non-Gefen device, which may indicate exploitation attempts.

Sentinel will continue to monitor the situation and provide updates if a vendor patch or additional mitigation guidance becomes available.

Conclusion

The discovery of CVE-2025-25504 highlights the importance of ongoing security research and strong vulnerability management practices. Sentinel remains committed to advancing the security of our clients and the broader technology ecosystem.

If you are interested in learning more about our penetration testing process, contact us or your Sentinel Account Manager today!