A critical, unauthenticated command injection vulnerability exists in multiple SOUND4 products. This flaw allows a remote attacker without any credentials to take complete control of an affected device by sending a specially crafted request, posing a significant risk of system compromise, data breach, and service disruption.

The vulnerability is an unauthenticated command injection flaw found in the web interface of the affected products. An attacker can send a malicious HTTP POST request to the index.php or login.php scripts. By injecting operating system shell commands into the username parameter of the login request, the attacker can force the underlying server to execute these commands with the privileges of the web service, leading to a full system compromise.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation allows an unauthenticated attacker to gain complete control over the affected device. This could lead to severe consequences, including theft of sensitive configuration data, interception or modification of audio streams, complete service disruption, or using the compromised device as a pivot point to launch further attacks against the internal network. The operational and reputational damage from such an attack could be substantial.

Immediate Action: Immediately update all affected SOUND4 IMPACT, FIRST, PULSE, and Eco products to the latest patched version provided by the vendor. Prioritize patching for systems that are accessible from the internet.

Proactive Monitoring: System administrators should actively monitor web server access logs for suspicious POST requests to index.php and login.php. Specifically, look for unusual or malicious-looking strings and shell commands within the username parameter. Monitor for unexpected outbound network connections, unusual process execution, and any modifications to system files on the affected devices.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to block command injection attempts in POST request parameters. Restrict network access to the device's management interface to a trusted administrative network or specific IP addresses.

Public Exploit Available: true

Given the critical CVSS score of 9.8 and the availability of a public exploit, this vulnerability poses an immediate and severe threat to the organization. We strongly recommend that all affected SOUND4 devices be patched immediately, with internet-facing systems treated as the highest priority. Due to the risk of active exploitation, organizations should assume that any unpatched, publicly accessible devices may already be compromised and should consider initiating incident response procedures to investigate for signs of malicious activity.