CVE-2025-57437
📋 TL;DR
Blackmagic Web Presenter HD firmware version 3.3 exposes sensitive streaming and device configuration data through an unauthenticated Telnet service on port 9977. This allows attackers to hijack live streams or gather reconnaissance data for further attacks. Anyone using this firmware version is affected.
💻 Affected Systems
- Blackmagic Web Presenter HD
📦 What is this software?
Web Presenter Hd Firmware by Blackmagicdesign
⚠️ Risk & Real-World Impact
Worst Case
Complete takeover of live streaming capabilities, allowing attackers to broadcast unauthorized content, steal stream keys for platform abuse, and gain network access for lateral movement.
Likely Case
Stream hijacking where attackers redirect or disrupt legitimate broadcasts, plus exposure of network configuration enabling further attacks.
If Mitigated
Limited to information disclosure if the device is isolated and stream keys are rotated, but still exposes sensitive configuration data.
🎯 Exploit Status
Exploitation requires only Telnet access to port 9977 with no authentication, making it trivial to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.blackmagicdesign.com/
Restart Required: No
Instructions:
Check Blackmagic Design's website for firmware updates addressing CVE-2025-57437. If available, download and apply the update following vendor instructions.
🔧 Temporary Workarounds
Block Telnet Port 9977
linuxUse firewall rules to block inbound connections to port 9977 on affected devices.
iptables -A INPUT -p tcp --dport 9977 -j DROP
Network Segmentation
allIsolate Web Presenter devices on a separate VLAN with restricted access.
🧯 If You Can't Patch
- Rotate all stream keys and credentials exposed by the vulnerability immediately.
- Monitor network traffic to port 9977 for unauthorized access attempts and implement strict access controls.
🔍 How to Verify
Check if Vulnerable:
Attempt to connect via Telnet to the device's IP address on port 9977. If connection succeeds and configuration data is displayed, the device is vulnerable.Check Version:
Check device firmware version through its web interface or console. Should show version 3.3 if vulnerable.Verify Fix Applied:
After applying any fix, attempt Telnet connection to port 9977. Connection should be refused or timeout if properly mitigated.📡 Detection & Monitoring
Log Indicators:
- Telnet connection attempts to port 9977 in device or firewall logs
- Unusual streaming activity or configuration changes
Network Indicators:
- Inbound TCP connections to port 9977 from unauthorized sources
- Telnet traffic to Web Presenter devices
SIEM Query:
source_ip:* AND dest_port:9977 AND protocol:TCP