Title: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (upload.cgi) Unauthenticated Remote Code Execution Advisory ID: ZSL-2022-5741 Type: Local/Remote Impact: System Access, DoS Risk: 5/5 Release Date: 14.12.2022 Summary The SOUND4 products suffer from an unauthenticated remote code execution vulnerability. An attacker can exploit this vulnerability by abusing the firmware upgrade/upload functionality, which contains a path traversal flaw. This allows the attacker to arbitrarily write a malicious file to a location on the system with www-data permissions, which can be executed to gain unauthorized access. Affected Version FM/HD Radio Processing: Impact/Pulse/First (Version 2: 1.1/2.15), Impact/Pulse/First (Version 1: 2.1/1.69) Impact/Pulse Eco 1.1.6 Voice Processing: BigVoice1 1.2 BigVoice2 1.3.0 Web-Audio Streaming: Stream 1.1.2/4.29 Watermarking: WM2 (Kantar Media) 1.1.1 Vendor Status [26.09.2022] Vulnerability discovered. [30.09.2022] Vendor contacted. [13.12.2022] No response from the vendor. [14.12.2022] Public security advisory released. References 1. https://packetstormsecurity.com/files/170268/SOUND4-IMPACT-FIRST-PULSE-Eco-2.x-upload.cgi-Code-Execution.html 2. https://github.com/zeroscience/advisory/blob/master/ZSL-2022-5741%20(2) 3. https://exchange.xforce.ibmcloud.com/vulnerabilities/247951 Changelog [14.12.2022] - Initial release [28.12.2022] - Added reference [1] and [2] [20.04.2023] - Added reference [3]