Overview
Digigrams PYKO-OUT audio-over-IP (AoIP) product is used for audio decoding and intended for various uses such as paging, background music, live announcements and others. It has hardware compatibility with two analog mono outputs and a USB port for storing local playlists. The product does not require a password by default, and when opened to the Internet, can allow attackers access to the device, where they can then pivot to attacking adjacent connected devices or compromise the device’s functionality.
Description
Digigram is an audio-based hardware and software vendor, providing various products including sound cards, AoIP gateways, and speaker-related support software. Digigram sells a PYKO-OUT audio-over-IP product that is used for audio decoding and intended for various uses such as paging, background music, and live announcements.
A vulnerability has been discovered within the web-server component of the PYKO-OUT AoIP, where the default configuration does not require any login information or password. This web server spawns on 192.168.0.100 by default. The lack of log-in credentials allows any attacker who discovers the vulnerable IP address of the device to connect and manipulate it, without any authentication or authorization.
An attacker who gains access to the device can access its configuration, control audio outputs and inputs, and potentially pivot to other connected devices, whether this be through network connections, or by placing malicious files in a connected USB device.
Impact
An attacker with access to a vulnerable device can access the devices configuration, control audio-over-IP data streams managed by the device, and pivot to other network and physical connected devices, such as through a connected USB thumb drive.
Solution
Digigram has marked this product as EOL and will not be providing a patch to change the default configuration. Users can alter the password settings within the web server UI and force attempted connections to provide a password. Additionally, the product is no longer being sold by Digigram.
Acknowledgements
Thanks to the reporter, Souvik Kandar. Additional thanks to CERT-FR. This document was written by Christopher Cullen.
Vendor Information
References
Other Information
| CVE IDs: | |
| Date Public: | 2025-05-02 |
| Date First Published: | 2025-05-02 |
| Date Last Updated: | 2025-05-02 14:37 UTC |
| Document Revision: | 1 |
Recent Posts
-
VU#722229: Radware Cloud Web Application Firewall Vulnerable to Filter Bypass
-
VU#360686: Digigram PYKO-OUT audio-over-IP (AoIP) does not require a password by default
-
VU#667211: Various GPT services are vulnerable to two systemic jailbreaks, allows for bypass of safety guardrails
-
VU#252619: Multiple deserialization vulnerabilities in PyTorch Lightning 2.4.0 and earlier versions
-
Unplanned outage impacting our off-site backup services
