CVE-2025-28235 is an information disclosure vulnerability affecting the Soundcraft Ui Series digital mixing consoles, specifically the Ui12 and Ui16 models running firmware versions 1.0.7x and 1.0.5x. The vulnerability resides in the /socket.io/1/websocket/ component of the device's firmware. Due to improper handling of sensitive data within this WebSocket endpoint, an unauthenticated remote attacker can access Administrator credentials in plaintext. This flaw allows attackers to retrieve highly sensitive authentication information without requiring any prior authentication or user interaction. The vulnerability has a CVSS v3.1 base score of 7.5, indicating a high severity level, with an attack vector classified as network-based (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact is limited to confidentiality (C:H), with no direct impact on integrity or availability. The vulnerability is categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). No patches or mitigations have been officially released at the time of this report, and no known exploits are currently observed in the wild. However, given the nature of the exposed credentials, successful exploitation could lead to unauthorized administrative access to the affected devices, potentially allowing further malicious activities such as configuration changes, interception of audio streams, or pivoting within the network environment where these devices are deployed.

For European organizations, especially those in the media, entertainment, live event production, and broadcasting sectors, this vulnerability poses a significant risk. Soundcraft Ui Series consoles are widely used in professional audio environments, including concert venues, theaters, conference centers, and broadcast studios. Unauthorized access to administrator credentials could lead to compromise of audio control systems, disruption of live events, or unauthorized surveillance through audio streams. Additionally, these devices often reside within corporate or institutional networks, so attackers gaining administrative access could use them as footholds for lateral movement or data exfiltration. The confidentiality breach of administrator credentials undermines trust in the security of critical audio infrastructure and could result in reputational damage, operational disruptions, and financial losses. Given the network-exposed nature of the vulnerability and lack of required authentication, attackers can exploit this remotely, increasing the risk for organizations with internet-facing or poorly segmented audio equipment networks.

1. Network Segmentation: Immediately isolate Soundcraft Ui12 and Ui16 devices from public internet access and restrict their network exposure to trusted internal segments only. 2. Access Controls: Implement strict firewall rules to limit access to the /socket.io/1/websocket/ endpoint to authorized management workstations or VLANs. 3. Monitoring and Logging: Enable detailed logging on network devices and monitor for unusual access patterns to the affected WebSocket endpoint, including repeated or anomalous connection attempts. 4. Credential Rotation: Proactively change administrator credentials on all affected devices to strong, unique passwords to limit the window of exposure. 5. Vendor Engagement: Engage with the device vendor or authorized support channels to obtain firmware updates or patches as soon as they become available. 6. Temporary Workarounds: If possible, disable or restrict the WebSocket service or the vulnerable endpoint until a patch is released. 7. Incident Response Preparedness: Prepare to respond to potential compromise scenarios involving these devices, including forensic analysis and network containment procedures. 8. Physical Security: Ensure physical access to the devices is controlled to prevent local exploitation or tampering.