A critical authentication bypass vulnerability exists in The Itel DAB Encoder products. This flaw allows an attacker to reuse a valid login token from one device to gain complete administrative control over any other vulnerable device, regardless of its location or network. Successful exploitation would result in a full system compromise, enabling an attacker to disrupt operations, steal data, or use the device to launch further attacks.

The vulnerability is an authentication bypass resulting from improper validation of JSON Web Tokens (JWT). The application fails to bind a JWT to the specific device or user session for which it was generated. An attacker who obtains a valid administrative JWT from any device (e.g., a test device they control or a previously compromised one) can submit that same token in an API request to any other vulnerable Itel DAB Encoder. The target device will improperly validate the token as authentic, granting the attacker full administrative privileges without needing to know the device's actual password.

This vulnerability is rated as critical severity with a CVSS score of 10, representing the highest possible risk. An attacker gaining administrative access can cause significant business disruption by altering DAB broadcast configurations, taking services offline, or broadcasting malicious content. The complete loss of confidentiality, integrity, and availability for affected devices poses a severe risk. Compromised encoders could also serve as a pivot point for attackers to move laterally within the corporate network, escalating the incident beyond the initially targeted systems.

Immediate Action: Immediately apply the security updates provided by the vendor to all affected Itel DAB Encoder products to patch this vulnerability. After patching, review administrative access logs for any unauthorized or suspicious authentication events that may have occurred prior to the update.

Proactive Monitoring: Monitor network traffic and device logs for signs of exploitation. Specifically, look for successful administrative logins originating from unexpected or untrusted IP addresses. Correlate login events across multiple devices to identify if a single token or source IP is being used to access different systems. Set up alerts for any unusual configuration changes or commands executed via the administrative interface.

Compensating Controls: If immediate patching is not feasible, implement network-level access controls as a temporary measure. Use a firewall to restrict all administrative access to the devices to a dedicated, secure management network or a small set of trusted IP addresses. Disable external or internet-facing access to the management interface until the patch can be applied.

Public Exploit Available: false

Due to the critical CVSS score of 10 and the low complexity of exploitation, this vulnerability requires immediate attention. We strongly recommend that all affected Itel DAB Encoder devices be patched on an emergency basis. Organizations should prioritize patching internet-facing systems first, followed immediately by internal devices. The risk of full system compromise and subsequent network intrusion is severe, and organizations should assume that this vulnerability will be actively targeted by attackers.