CVE-2025-28228 Scanner

Electrolink FM/DAB/TV Transmitter is a series of transmitters designed for the broadcasting of radio and television signals. The product is used in FM, DAB, and TV transmission systems, offering reliable signal transmission for radio stations and television networks. Electrolink transmitters are widely utilized in the broadcasting industry, providing stable signal output for various applications. The transmitters offer different power capacities including 500W, 1kW, and 2kW versions. These transmitters are designed to meet the needs of modern broadcasting, featuring advanced control and monitoring features. Additionally, Electrolink offers both web and display interfaces to manage and configure the transmitters remotely.

The vulnerability in Electrolink FM/DAB/TV Transmitter occurs due to improper handling of credentials in the Web and Display interfaces of the transmitter. The affected versions (v01.09, v01.08, v01.07, and Display v1.4, v1.2) expose credentials in plaintext, which can be accessed by unauthorized attackers. This allows attackers to easily retrieve the credentials for accessing the transmitter's web interface and potentially gain control over the device. The lack of proper encryption or hashing for storing credentials creates a significant security risk, as attackers can exploit this flaw to access sensitive system settings and control the transmitter remotely.

The vulnerability is triggered when an attacker sends a GET request to the '/controlloLogin.js' path, which is responsible for handling the login process. The response contains plaintext credentials, such as 'user=='guest'' and 'password=='guest'' in the body. These credentials are not properly secured or hashed, making them easily retrievable by anyone who knows the endpoint. The vulnerability affects multiple versions of the Electrolink transmitter web and display interfaces, making it critical for users to upgrade to newer versions that address this issue.

If exploited, this vulnerability can lead to unauthorized access to the Electrolink FM/DAB/TV Transmitter’s web and display interfaces. Attackers can log in using the exposed credentials and modify the transmitter’s settings, which could disrupt broadcasting services, cause unauthorized signal transmission, or enable further attacks on the network. The exposure of credentials also poses a significant threat to the integrity and security of the broadcasting system. In some cases, attackers could gain full administrative control over the transmitter, leading to a complete compromise of the system.

References:

• https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-28228