A critical vulnerability has been discovered in Blackmagic Web Presenter devices that allows unauthenticated remote attackers to take full control of the device's streaming functions. This flaw could be exploited to disrupt live broadcasts, hijack streams to broadcast unauthorized content, or redirect sensitive internal feeds, posing a significant operational and reputational risk to the organization.

The vulnerability exists because the device exposes an unprotected Telnet service on TCP port 9977. An attacker with network access to the device can connect to this port without any authentication and execute commands directly. This allows the attacker to view and modify all stream settings, including the stream destination URL, stream key, video quality, and to start or stop the broadcast at will.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could lead to severe business consequences, including the complete disruption of live streaming services, which could impact revenue-generating events or critical communications. An attacker could hijack a broadcast to display malicious, inappropriate, or competitor content, causing significant reputational damage. Furthermore, if the device is used for sensitive internal broadcasts, an attacker could redirect the stream to a public endpoint, resulting in a data breach. The ease of exploitation (no authentication required) makes this a high-priority risk for any organization utilizing these devices.

Immediate Action: Immediately apply the latest firmware update provided by the vendor to all affected Blackmagic Web Presenter devices. After patching, security teams should verify that the Telnet service on TCP port 9977 is either disabled or now requires authentication.

Proactive Monitoring: Monitor network traffic for any connection attempts to TCP port 9977 on affected devices from unauthorized internal or external IP addresses. Review device logs for any unauthorized configuration changes, stream restarts, or modifications to stream destinations. Set up alerts for any unexpected start/stop events on production streams.

Compensating Controls: If immediate patching is not possible, implement the following controls:

• Use a network firewall or Access Control Lists (ACLs) to block all inbound traffic to TCP port 9977 from all untrusted networks.
• If remote management is required, create a strict firewall allow-list permitting access only from specific, trusted administrative IP addresses.
• Isolate Web Presenter devices on a segregated network segment (VLAN) away from general user networks and critical servers.

Public Exploit Available: False

Given the critical CVSS score of 9.8 and the lack of authentication required for exploitation, this vulnerability represents an immediate and significant threat. While this vulnerability is not yet on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity and simplicity make it a prime target for opportunistic attackers. We strongly advise that organizations prioritize patching all affected Blackmagic Web Presenter devices immediately. If patching cannot be performed, the recommended compensating controls must be implemented as a matter of urgency to prevent potential stream hijacking or service disruption.