Old CVEs, Live Airwaves at Risk: Why Legacy SOUND4 Flaws Still Enable Full Remote Takeover Today

Aegiron 6 mins0

Affected Vendor & Products

SOUND4
Products: IMPACT / FIRST / PULSE / Eco
Affected Versions: 2.x and below
Deployment Type: Broadcast, radio, media streaming, embedded Linux appliances

Executive Risk Summary

SOUND4 IMPACT/FIRST/PULSE/Eco devices running firmware 2.x and below contain multiple critical and high-severity vulnerabilities that collectively allow:

  • Unauthenticated remote code execution
  • Authentication bypass
  • Arbitrary file read and write
  • Command injection
  • Hardcoded credential abuse
  • Persistent device compromise
  • Network abuse and amplification attacks

Any exposed SOUND4 system should be considered at high risk of full compromise.

Severity Overview

CVESeverityCore Impact
CVE-2022-50796CriticalUnauthenticated RCE via firmware upload
CVE-2022-50794CriticalUnauthenticated command injection
CVE-2022-50696CriticalHardcoded credentials
CVE-2022-50795HighConditional RCE via traceroute
CVE-2022-50793HighAuthenticated command injection
CVE-2022-50792HighArbitrary file disclosure
CVE-2022-50791HighConditional RCE via ping
CVE-2022-50789HighConditional RCE via DNS
CVE-2022-50695HighNetwork abuse / flooding
CVE-2022-50694HighSQL injection
CVE-2022-50790MediumStream information disclosure
CVE-2022-50788MediumLog file disclosure
CVE-2022-50787MediumStored XSS
CVE-2022-50692MediumSession hijacking

Key Vulnerability Classes Explained

Unauthenticated Remote Code Execution (RCE)

CVE-2022-50796 & CVE-2022-50794

  • Firmware upload (upload.cgi) allows path traversal
  • Attackers can write arbitrary files with www-data permissions
  • Username parameter in index.php / login.php is directly passed to shell
  • No authentication required

Impact:
Full system compromise
Persistent backdoors
Broadcast manipulation

Conditional Command Injection via System Tools

CVE-2022-50795 / 50791 / 50789

These vulnerabilities follow the same dangerous pattern:

  1. A local authenticated user creates a malicious file in /tmp
  2. An unauthenticated attacker triggers execution via:
    • ping.php
    • traceroute.php
    • dns.php
  3. File executes commands, then deletes itself

Impact:
One-shot remote command execution
Difficult forensic tracing

Hardcoded Credentials (Critical)

CVE-2022-50696

  • Static credentials embedded in server binaries
  • Cannot be changed through UI or configuration
  • Works across Linux and Windows deployments

Impact:
Guaranteed unauthorized access
Vendor backdoor-like behavior

File & Information Disclosure

CVE-2022-50792 / 50788 / 50790

Attackers can:

  • Read arbitrary system files via file GET parameter
  • Browse /log directory without authentication
  • Access live radio stream configuration via webplay / ffmpeg

Impact:
Credential leakage
System mapping
Broadcast intelligence gathering

🗄️ SQL Injection & Session Abuse

CVE-2022-50694 / 50692

  • SQL injection via username POST parameter
  • Weak session expiration allows reuse of old session tokens

Impact:
Authentication bypass
Account takeover

Chained Attack Scenario (Worst Case)

  1. Attacker logs in using hardcoded credentials
  2. Uploads malicious firmware or writes shell via upload.cgi
  3. Gains persistent RCE
  4. Reads configuration, logs, credentials
  5. Manipulates or disrupts broadcast streams
  6. Uses device for network flooding or lateral movement

Result: Silent, long-term compromise of broadcast infrastructure

MITRE ATT&CK Mapping

Initial Access

  • T1190 – Exploit Public-Facing Application
  • T1078 – Valid Accounts

Execution

  • T1059 – Command and Scripting Interpreter

Persistence

  • T1505 – Server-Side Backdoor
  • T1542 – Firmware Compromise

Credential Access

  • T1552 – Unsecured Credentials

Discovery

  • T1083 – File and Directory Discovery

Impact

  • T1499 – Denial of Service
  • T1565 – Data Manipulation

Detection & Monitoring

Indicators of Compromise

  • Unexpected files in /tmp
  • Web requests invoking:
    • ping.php
    • dns.php
    • traceroute.php
    • upload.cgi
  • Firmware updates outside maintenance windows
  • Unusual outbound ICMP traffic

Relevant Log Sources

  • Web server access logs
  • Firmware update logs
  • System process execution logs
  • Network monitoring / IDS logs

Mitigation & Remediation

Immediate Actions

  • Disconnect affected systems from the internet
  • Block access to management interfaces
  • Monitor for unauthorized firmware changes
  • Audit /tmp, /www, and binary directories

Permanent Fix

Apply vendor firmware updates and security patches from the official source:

Official Updates:
https://www.sound4.com

Final Assessment

This is not a single vulnerability issue — it is a systemic security failure.
SOUND4 devices running firmware 2.x or below expose broadcast infrastructure to full remote takeover with minimal effort.

If these systems are internet-facing, compromise should be assumed until proven otherwise.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.