Digigram PYKO-OUT Audio-Over-IP Web Server Passwordless Authentication Vulnerability

A vulnerability exists in Digigram's PYKO-OUT audio-over-IP (AoIP) web server, which, by default, does not require a password. This oversight allows any attacker with knowledge of the device's IP address to connect, potentially compromising the device and its functionality. The vulnerability could also be exploited to pivot to other networked or hardware-connected devices.

Impact

Exploitation of this vulnerability allows unauthorized access to the device's configuration and control over its audio inputs and outputs. Additionally, it could lead to unauthorized access to other connected network or physical devices, such as those linked via USB.

Remediation

Users can manually change the password settings within the web server interface to require authentication. However, Digigram has marked this product as end-of-life and will not provide an official patch. The PYKO-OUT is no longer available for purchase.