CVE-2025-5124

A vulnerability classified as critical has been found in Sony SNC-M1, SNC-M3, SNC-RZ25N, SNC-RZ30N, SNC-DS10, SNC-CS3N and SNC-RX570N up to 1.30. This affects an unknown part of the component Administrative Interface. The manipulation leads to use of default credentials. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. It is recommended to change the configuration settings. The vendor was contacted early about this issue. They confirmed the existence but pointed out that they "have published the 'Hardening Guide' on the Web from July 2018 to January 2025 and have thoroughly informed customers of the recommendation to change their initial passwords".

CVSS v3 8.1 HIGH
CVSS v2.0 7.6 HIGH

8.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.6^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:H/Au:N/C:C/I:C/A:C

Exploitability : 4.9 / Impact : 10.0

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://github.com/zeke2997/CVE_request_Sony
https://github.com/zeke2997/CVE_request_Sony#3-poc
https://vuldb.com/?ctiid.310203
https://vuldb.com/?id.310203
https://vuldb.com/?submit.564839
https://github.com/zeke2997/CVE_request_Sony

Configurations

No configuration.

History

28 May 2025, 18:15

Type	Values Removed	Values Added
References	~~() https://github.com/zeke2997/CVE_request_Sony -~~	() https://github.com/zeke2997/CVE_request_Sony -

28 May 2025, 14:58

Type	Values Removed	Values Added
Summary		(es) Se ha detectado una vulnerabilidad clasificada como crítica en las Sony SNC-M1, SNC-M3, SNC-RZ25N, SNC-RZ30N, SNC-DS10, SNC-CS3N y SNC-RX570N hasta la versión 1.30. Esta vulnerabilidad afecta a una parte desconocida de la interfaz administrativa. La manipulación implica el uso de credenciales predeterminadas. Es posible iniciar el ataque de forma remota. Es un ataque de complejidad bastante alta. Parece difícil de explotar. Se ha hecho público el exploit y puede que sea utilizado. La existencia real de esta vulnerabilidad aún se duda. Se recomienda cambiar la configuración. Se contactó con el proveedor con antelación para informarle sobre este problema. Confirmaron la existencia, pero señalaron que publicaron la 'Hardening Guide' en la web desde julio de 2018 hasta enero de 2025 y que informaron detalladamente a los clientes sobre la recomendación de cambiar sus contraseñas iniciales.

24 May 2025, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-24 13:15

Updated : 2025-05-28 18:15

NVD link : CVE-2025-5124

Mitre link : CVE-2025-5124

CVE.ORG link : CVE-2025-5124

JSON object : View

Products Affected

No product.

CWE

CWE-1392

Use of Default Credentials

8.1 /10