A critical vulnerability has been identified in The Multiple Products, allowing an unauthenticated attacker to remotely change all user passwords, including the administrator's. Successful exploitation of this flaw grants the attacker complete control over the affected system, enabling them to disrupt operations, access sensitive information, and potentially launch further attacks on the network.

The vulnerability is a broken access control flaw in the web management interface. The specific endpoint, /_Passwd.html, fails to perform any authentication or authorization checks before processing requests. An unauthenticated remote attacker can craft and send a simple POST request to this endpoint containing new passwords for the Admin, Operator, and User accounts, effectively overwriting the current credentials and locking out legitimate users.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could lead to a complete system compromise, resulting in significant business disruption, especially given the operational nature of R.V.R Elettronica products in broadcast environments. An attacker could alter device configurations, cause service outages, access any data processed by the device, and use the compromised system as a pivot point to attack other internal network resources. The potential consequences include operational downtime, data breaches, and severe reputational damage.

Immediate Action: Immediately apply the security updates provided by the vendor to patch all affected instances of The Multiple Products to the latest version. After patching, review system and access logs for any evidence of unauthorized password changes or logins.

Proactive Monitoring: Security teams should actively monitor web server access logs for any unauthenticated POST requests to the /_Passwd.html endpoint. Implement alerting for any successful logins from unknown IP addresses or any password change events that occur outside of scheduled maintenance windows.

Compensating Controls: If immediate patching is not feasible, restrict network access to the device's web management interface using a firewall or network access control lists (ACLs). Ensure that only trusted administrators from a dedicated management network can access the interface, effectively preventing remote, unauthenticated exploitation.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the ease of exploitation, this vulnerability poses an immediate and severe risk to the organization. We strongly recommend that all affected systems be patched immediately without delay. If patching cannot be completed right away, the compensating controls outlined above, specifically network segmentation and access restriction, must be implemented as an urgent priority to mitigate the risk of a full system compromise.