BrightSign Players Default Password Vulnerability Allowing Privilege Escalation and Code Execution
Vulnerability
A vulnerability exists in BrightSign players running BrightSign OS series 4 prior to v8.5.53.1 and series 5 prior to v9.0.166. These versions use a default password that can be easily guessed with knowledge of the device information. This vulnerability could lead to privilege escalation on the device, allow default passwords to be exploited, or enable arbitrary code execution on the underlying operating system.
Impact
Exploitation of this vulnerability could allow unauthorized users to gain elevated privileges on the device, access accounts with higher privileges, or execute arbitrary code on the device's operating system.
Remediation
Users are encouraged to change all default passwords. BrightSign has released patches for this vulnerability in v8.5.53.1 for series 4 players and v9.0.166 for series 5 players. Both versions are available on the BrightSign download site.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.