CVE-2025-3925

BrightSign players running BrightSign OS series 4 prior to v8.5.53.1 or series 5 prior to v9.0.166 contain an execution with unnecessary privileges vulnerability, allowing for privilege escalation on the device once code execution has been obtained.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.brightsign.biz/resources/software-downloads/
https://www.cisa.gov/news-events/ics-advisories/icsa-25-126-03

Configurations

No configuration.

History

08 May 2025, 14:39

Type	Values Removed	Values Added
Summary		(es) Los reproductores BrightSign que ejecutan BrightSign OS serie 4 anterior a v8.5.53.1 o serie 5 anterior a v9.0.166 contienen una vulnerabilidad de ejecución con privilegios innecesarios, lo que permite la escalada de privilegios en el dispositivo una vez que se ha obtenido la ejecución del código.

07 May 2025, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-07 21:16

Updated : 2025-05-08 14:39

NVD link : CVE-2025-3925

Mitre link : CVE-2025-3925

CVE.ORG link : CVE-2025-3925

JSON object : View

Products Affected

No product.

CWE

CWE-250

Execution with Unnecessary Privileges

{"id": "CVE-2025-3925", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-07T21:16:03.897", "references": [{"url": "https://www.brightsign.biz/resources/software-downloads/", "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-126-03", "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-250"}]}], "descriptions": [{"lang": "en", "value": "BrightSign players running BrightSign OS series 4 prior to v8.5.53.1 or \nseries 5 prior to v9.0.166 contain an execution with unnecessary \nprivileges vulnerability, allowing for privilege escalation on the \ndevice once code execution has been obtained."}, {"lang": "es", "value": "Los reproductores BrightSign que ejecutan BrightSign OS serie 4 anterior a v8.5.53.1 o serie 5 anterior a v9.0.166 contienen una vulnerabilidad de ejecuci\u00f3n con privilegios innecesarios, lo que permite la escalada de privilegios en el dispositivo una vez que se ha obtenido la ejecuci\u00f3n del c\u00f3digo."}], "lastModified": "2025-05-08T14:39:09.683", "sourceIdentifier": "ics-cert@hq.dhs.gov"}