CVE-2023-53775 is a session fixation vulnerability classified under CWE-384, found in version 1.9.3 of the Screen SFT DAB Series compact radio DAB transmitter by DB Elettronica Telecomunicazioni SpA. The vulnerability arises due to weak session management controls that allow an attacker to reuse IP-bound session identifiers. This flaw enables an attacker to bypass authentication mechanisms and issue unauthorized requests to the userManager API, specifically to change user passwords without proper authentication. The vulnerability does not require user interaction, prior authentication, or physical access, but does require network access to the affected device. The CVSS 4.0 base score is 7.1 (high severity), reflecting the ease of exploitation (attack vector: adjacent network), low attack complexity, no privileges required, and no user interaction needed. The impact primarily affects the integrity of user credentials and potentially the availability and confidentiality of the device's management interface. No patches or exploits are currently publicly available, but the vulnerability poses a significant risk to the operational security of broadcast infrastructure relying on these devices. The weakness in session fixation means that session identifiers are not properly invalidated or rotated upon login, allowing attackers to hijack or reuse sessions tied to an IP address, thus bypassing authentication controls.

For European organizations, especially those in broadcasting, telecommunications, and media sectors using the Screen SFT DAB Series transmitters, this vulnerability could lead to unauthorized administrative access. Attackers could change user passwords, lock out legitimate administrators, or gain persistent control over the device. This could disrupt broadcasting services, degrade service availability, or allow further lateral movement within networks. The compromise of device credentials may also expose sensitive configuration data or enable manipulation of broadcast content, impacting confidentiality and integrity. Given the critical role of such transmitters in media distribution, exploitation could have cascading effects on communication reliability and public information dissemination. The lack of authentication requirements and user interaction increases the risk of automated or remote exploitation, particularly in environments where these devices are accessible over internal or adjacent networks.

To mitigate this vulnerability, organizations should: 1) Immediately restrict network access to the affected devices, limiting connections to trusted management networks and IP addresses. 2) Implement network segmentation to isolate broadcast transmitters from general IT infrastructure. 3) Monitor network traffic for unusual API calls to the userManager interface, especially password change requests. 4) If possible, upgrade to a patched version once available or apply vendor-recommended configuration changes to enforce session identifier invalidation upon login. 5) Employ multi-factor authentication (MFA) on management interfaces if supported, to add an additional layer of security beyond session tokens. 6) Regularly audit user accounts and credentials on these devices to detect unauthorized changes. 7) Engage with DB Elettronica Telecomunicazioni SpA for updates and security advisories. 8) Consider deploying Web Application Firewalls (WAFs) or API gateways that can detect and block session fixation attempts or anomalous API usage patterns.