CVE-2025-28235
📋 TL;DR
This vulnerability allows attackers to retrieve administrator credentials in plaintext from Soundcraft Ui Series digital mixers via the /socket.io/1/websocket/ endpoint. Attackers can gain administrative access to the device, potentially taking full control. Affected devices include Ui12 and Ui16 models running vulnerable firmware versions.
💻 Affected Systems
- Soundcraft Ui12
- Soundcraft Ui16
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to the mixer, allowing them to modify all audio settings, disrupt live events, install malicious firmware, or use the device as a pivot point into connected networks.
Likely Case
Attackers steal administrator credentials and gain unauthorized access to the mixer's web interface, potentially disrupting audio operations or changing critical settings.
If Mitigated
With proper network segmentation and access controls, attackers cannot reach the vulnerable endpoint, limiting impact to isolated incidents.
🎯 Exploit Status
Exploitation requires network access to the device's web interface on port 80/443.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: No
Instructions:
Check Soundcraft/Harman Professional website for firmware updates. If available, download and install via device web interface.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Soundcraft Ui devices on separate VLAN with strict access controls.
Access Control Lists
allImplement firewall rules to restrict access to device web interface to authorized IPs only.
🧯 If You Can't Patch
- Disable web interface if not required for operations
- Change administrator password regularly and monitor for unauthorized access
🔍 How to Verify
Check if Vulnerable:
Access https://[device-ip]/socket.io/1/websocket/ and check if credentials are exposed in plaintext responses.Check Version:
Check firmware version in device web interface under Settings > System InformationVerify Fix Applied:
Verify the endpoint no longer returns plaintext credentials after applying vendor patches or workarounds.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful login from unusual IP
- Access to /socket.io/1/websocket/ endpoint
Network Indicators:
- Unusual traffic to device port 80/443 from unauthorized sources
- HTTP requests to /socket.io/1/websocket/
SIEM Query:
source_ip=* AND dest_port IN (80,443) AND url_path="/socket.io/1/websocket/"