CVE-2025-54756
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
BrightSign players running BrightSign OS series 4 prior to v8.5.53.1 or series 5 prior to v9.0.166 use a default password that is guessable with knowledge of the device information. The latest release fixes this issue for new installations; users of old installations are encouraged to change all default passwords.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| BrightSign | BrightSign OS series 4 players | 0 < v8.5.53.1 | affected |
| BrightSign | BrightSign OS series 5 players | 0 < v9.0.166 | affected |
Weaknesses
- CWE-1392: CWE-1392
Workarounds
BrightSign recommends the following security practices:
Change default passwords when the device is initially set up.
Disable the local DWS as described in "High Security settings".
Disable the SSH/telnet server when not being used - it is not enabled by default.
Devices should be located where an attacker does not have physical access to the device.
SD and USB ports can be disabled if not needed.
For more information, please contact BrightSign via their website. https://www.brightsign.biz/contact-us/
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://www.cisa.gov/news-events/ics-advisories/icsa-25-126-03
- https://www.brightsign.biz/resources/software-downloads/
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-126-03.json
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.