CVE-2023-53740 is an authentication bypass vulnerability classified under CWE-862 affecting version 1.9.3 of the Screen SFT DAB Series, a compact radio DAB transmitter manufactured by DB Elettronica Telecomunicazioni SpA. The vulnerability arises due to missing authorization checks on the userManager.cgx endpoint, which handles administrative user management functions. An attacker can send a specially crafted JSON request containing a new MD5-hashed password to this endpoint without providing the current admin credentials or any form of authentication. This allows the attacker to overwrite the administrator password and gain full administrative access to the device. The vulnerability is remotely exploitable over the network (attack vector: adjacent network), requires low attack complexity, and does not require privileges or prior authentication. User interaction is needed only to send the crafted request. The impact on confidentiality and integrity is high since an attacker can fully control the device, potentially altering configurations or disrupting broadcast transmissions. Availability impact is low but could be elevated if the attacker intentionally disrupts services. The vulnerability does not require scope changes or chaining with other vulnerabilities. No patches or exploits are currently publicly available, but the high CVSS score (8.6) reflects the critical nature of the flaw. The device’s role in digital audio broadcasting infrastructure makes this vulnerability particularly sensitive, as unauthorized control could impact broadcast reliability and security.

For European organizations, particularly broadcasters and telecom operators using the Screen SFT DAB Series transmitters, this vulnerability poses a significant risk. Exploitation could lead to unauthorized administrative access, allowing attackers to alter device configurations, disrupt digital audio broadcasting services, or potentially use the compromised device as a foothold for further network intrusion. This could result in service outages, reputational damage, and regulatory non-compliance, especially under EU directives on critical infrastructure protection and data security. The impact extends beyond individual devices to potentially affect entire broadcast networks if multiple transmitters are compromised. Given the critical role of digital radio in public communication and emergency broadcasting, the vulnerability could also have societal implications. The lack of authentication requirement lowers the barrier for exploitation, increasing the urgency for mitigation in environments where these devices are accessible over internal or adjacent networks.

1. Immediately restrict network access to the management interface of the Screen SFT DAB transmitters, ideally isolating them on dedicated management VLANs or physically separate networks. 2. Implement strict firewall rules to limit access to the userManager.cgx endpoint only to authorized administrative hosts. 3. Monitor network traffic for unusual JSON requests targeting the userManager.cgx endpoint to detect potential exploitation attempts. 4. Enforce strong network segmentation between broadcast infrastructure and general enterprise networks to reduce exposure. 5. Engage with DB Elettronica Telecomunicazioni SpA for official patches or firmware updates addressing this vulnerability and apply them promptly once available. 6. Where possible, disable remote management features or require VPN access with multi-factor authentication for administrative access. 7. Conduct regular audits of device configurations and administrative accounts to detect unauthorized changes. 8. Develop incident response plans specific to broadcast infrastructure compromise scenarios to minimize downtime and impact.