CVE-2022-50696
9.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain hardcoded credentials embedded in server binaries that cannot be modified through normal device operations. Attackers can leverage these static credentials to gain unauthorized access to the device across Linux and Windows distributions without requiring user interaction.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| SOUND4 Ltd. | Impact/Pulse/First | Version 2: 1.1/2.15 | affected |
| SOUND4 Ltd. | Impact/Pulse Eco | 1.16 | affected |
| SOUND4 Ltd. | BigVoice4 | 1.2 | affected |
| SOUND4 Ltd. | BigVoice2 | 1.30 | affected |
| SOUND4 Ltd. | Stream | 1.1/2.4.29 | affected |
| Kantar Media | WM2 | 1.11 | affected |
Weaknesses
- CWE-798: Use of Hard-coded Credentials
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: total
References
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5729.php
- https://packetstormsecurity.com/files/170256/SOUND4-IMPACT-FIRST-PULSE-Eco-2.x-Hardcoded-Credentials.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/247949
- https://www.sound4.com/
- https://www.vulncheck.com/advisories/sound-impactfirstpulseeco-x-hardcoded-credentials-authentication-bypass
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.