CVE-2023-53775 is a session fixation vulnerability categorized under CWE-384, found in version 1.9.3 of the Screen SFT DAB Series Compact Radio DAB Transmitter by DB Elettronica Telecomunicazioni SpA. The vulnerability arises from weak session management controls that allow an attacker to reuse session identifiers bound to an IP address. By exploiting this flaw, an attacker can bypass authentication mechanisms and send unauthorized requests to the userManager API, specifically to change user passwords without proper authentication. The attack vector is network-based (AV:A), requiring the attacker to be on the same network or have network access to the device. No privileges or user interaction are required, making exploitation relatively straightforward once access is gained. The vulnerability impacts the integrity of user credentials, potentially allowing attackers to gain persistent unauthorized access to the device. Although no public exploits are currently known, the high CVSS score (7.1) reflects the significant risk posed by this vulnerability. The device is typically used in digital audio broadcasting (DAB) infrastructure, which is critical for radio transmission services. The lack of vendor patches at the time of disclosure increases the urgency for interim mitigations. The vulnerability does not affect confidentiality or availability directly but compromises integrity and could lead to further attacks if exploited.

For European organizations, particularly those involved in public and private digital radio broadcasting, this vulnerability poses a significant risk. Unauthorized password changes can lead to full device compromise, allowing attackers to manipulate broadcast content, disrupt services, or use the device as a foothold for lateral movement within the network. This could impact the integrity of broadcast transmissions, potentially causing misinformation or service outages. Given the critical nature of broadcasting infrastructure in Europe, especially in countries with extensive DAB networks, exploitation could have wide-reaching effects on communication reliability and public trust. Additionally, compromised devices might be leveraged in broader cyber campaigns targeting media and communication sectors. The vulnerability's network-based attack vector means that organizations with inadequate network segmentation or exposed management interfaces are particularly vulnerable. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure.

European organizations should immediately implement strict network segmentation to isolate Screen SFT DAB devices from general IT and internet-facing networks. Access to the userManager API should be restricted via firewall rules and VPNs to trusted administrators only. Continuous monitoring and logging of API requests should be enabled to detect anomalous password change attempts or session reuse patterns. Organizations should enforce strong session management policies, including regenerating session identifiers upon authentication and binding sessions to more than just IP addresses if possible. Until vendor patches are available, consider disabling remote management features or restricting management access to physically secure networks. Regularly audit device firmware versions and configurations to identify vulnerable instances. Engage with DB Elettronica Telecomunicazioni SpA for updates and apply patches promptly once released. Additionally, implement multi-factor authentication if supported to add an extra layer of security against unauthorized access.