CVE-2024-25734 is a vulnerability identified in WyreStorm Apollo VX20 devices running firmware versions before 1.3.58. The flaw resides in the TELNET service's authentication mechanism, where the system prompts for a password only after a valid username is entered. This behavior allows remote attackers to perform user enumeration by submitting usernames and observing whether a password prompt appears, thereby confirming valid accounts. The vulnerability is classified under CWE-200 (Information Exposure). The CVSS v3.1 base score is 7.5 (high), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating that the attack is network-based, requires no privileges or user interaction, and impacts confidentiality with high severity. While the vulnerability does not directly allow unauthorized access or code execution, the ability to enumerate valid usernames can facilitate further targeted attacks such as brute force password attempts or social engineering. No public exploits have been reported yet, but the exposure of valid account information significantly aids attackers in reconnaissance phases. The vulnerability affects the TELNET service, a protocol often considered insecure and deprecated, but still used in some AV and control systems like WyreStorm Apollo VX20. The lack of a patch link suggests that users should verify firmware versions and update to 1.3.58 or later where the issue is resolved.

For European organizations, especially those deploying WyreStorm Apollo VX20 devices in audiovisual, conference, or control environments, this vulnerability poses a significant risk by enabling attackers to enumerate valid user accounts remotely. This information disclosure can lead to targeted brute force attacks or credential stuffing, potentially compromising device access and control systems. Although the vulnerability does not directly allow system compromise, it lowers the barrier for attackers to gain unauthorized access by revealing valid usernames. This can result in unauthorized control over AV infrastructure, disruption of services, or leakage of sensitive operational information. Given the criticality of AV systems in corporate, governmental, and educational institutions across Europe, exploitation could impact confidentiality and operational security. The vulnerability's network-based nature means attackers can exploit it remotely without authentication or user interaction, increasing the attack surface. The absence of known exploits in the wild currently reduces immediate risk but does not preclude future attacks, especially as threat actors often leverage user enumeration for initial access attempts.

Organizations should immediately verify the firmware version of all WyreStorm Apollo VX20 devices and upgrade to version 1.3.58 or later where the vulnerability is fixed. If upgrading is not immediately possible, restrict TELNET access to trusted management networks using firewall rules or network segmentation to prevent unauthorized remote access. Disable TELNET service entirely if it is not required, replacing it with more secure management protocols such as SSH. Implement strong password policies and account lockout mechanisms to mitigate brute force attempts that may follow user enumeration. Monitor network traffic for unusual TELNET connection attempts and failed authentication events to detect potential reconnaissance activity. Conduct regular audits of device configurations and access logs to identify suspicious behavior. Educate IT and security teams about the risks of user enumeration and the importance of securing legacy protocols like TELNET in AV environments.