← Advisories

R Radio Network FM Transmitter 1.07 system.cgi Password Disclosure

Critical
Advisory ID
ZSL-2023-5802
Release Date
03 December 2023
Vendor
R Radio Network - http://www.pktc.ac.th
Affected Version
1.07
CVE
CVE-2024-58277
Tested On
CSBtechDevice
Summary

R Radio FM Transmitter that includes FM Exciter and FM Amplifier parameter setup.

Description

The transmitter suffers from an improper access control that allows an unauthenticated actor to directly reference the system.cgi endpoint and disclose the clear-text password of the admin user allowing authentication bypass and FM station setup access.

Proof of Concept
r_transmitter_pwd.txtTXT
Disclosure Timeline
09.10.2023Vulnerability discovered.
10.10.2023Vendor contacted.
10.10.2023Vendor responds asking more details.
11.10.2023Sent details to the vendor.
14.10.2023Vendor confirms the issue, working on a patch.
29.10.2023Vendor releases version 1.09 to address this issue.
03.12.2023Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://packetstormsecurity.com/files/176044/
[2]https://exchange.xforce.ibmcloud.com/vulnerabilities/275361
[3]https://www.exploit-db.com/exploits/51855
[4]https://www.vulncheck.com/advisories/r-radio-network-fm-transmitter-107-system-settings-disclosure
[5]https://www.cve.org/CVERecord?id=CVE-2024-58277
Changelog
03.12.2023Initial release
20.12.2023Added reference [1]
01.02.2024Added reference [2]
03.03.2024Added reference [3]
08.12.2025Added reference [4] and [5]