CVE-2025-54756

Summary

BrightSign players running BrightSign OS series 4 prior to v8.5.53.1 or series 5 prior to v9.0.166 use a default password that is guessable with knowledge of the device information. The latest release fixes this issue for new installations; users of old installations are encouraged to change all default passwords.

Affected Software

VendorProductVersion RangeStatus
BrightSignBrightSign OS series 4 players0 < v8.5.53.1affected
BrightSignBrightSign OS series 5 players0 < v9.0.166affected

Weaknesses

  • CWE-1392: CWE-1392

Workarounds

BrightSign recommends the following security practices:

  • Change default passwords when the device is initially set up.

  • Disable the local DWS as described in "High Security settings".

  • Disable the SSH/telnet server when not being used - it is not enabled by default.

  • Devices should be located where an attacker does not have physical access to the device.

  • SD and USB ports can be disabled if not needed.

For more information, please contact BrightSign via their website. https://www.brightsign.biz/contact-us/

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References