CVE-2025-63209
📋 TL;DR
This vulnerability allows unauthenticated attackers to retrieve admin credentials and system settings from ELCA Star Transmitter Remote Control devices via an unprotected /setup.xml endpoint. The admin password is stored in plaintext, potentially leading to remote compromise of transmitter systems. Affected devices include STAR150, BP1000, STAR300, STAR2000, STAR1000, STAR500, and possibly other models running firmware version 1.25.
💻 Affected Systems
- ELCA Star Transmitter Remote Control
📦 What is this software?
Bp1000 Firmware by Elcaradio
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control of transmitter systems, potentially disrupting critical communications infrastructure, manipulating transmission settings, or using devices as footholds into broader networks.
Likely Case
Attackers steal admin credentials and sensitive system configuration data, enabling unauthorized access to transmitter control interfaces and potential service disruption.
If Mitigated
With proper network segmentation and access controls, impact is limited to information disclosure without direct system compromise.
🎯 Exploit Status
Exploitation requires only HTTP GET requests to the vulnerable endpoint. Public GitHub repository contains research details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: unknown
Vendor Advisory: https://www.elcaradio.com
Restart Required: No
Instructions:
1. Check vendor website for firmware updates. 2. If patch available, download from official vendor source. 3. Follow vendor's firmware update procedures for affected transmitter models.
🔧 Temporary Workarounds
Network Access Restriction
linuxBlock external access to transmitter management interfaces using firewall rules
iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
Endpoint Protection
allImplement web application firewall rules to block access to /setup.xml endpoint
WAF rule: deny requests to path '/setup.xml'
🧯 If You Can't Patch
- Isolate transmitter management interfaces to dedicated VLAN with strict access controls
- Implement network monitoring for unauthorized access attempts to /setup.xml endpoint
🔍 How to Verify
Check if Vulnerable:
Send HTTP GET request to http://[device_ip]/setup.xml and check if response contains plaintext password in <p05> tagCheck Version:
Check device web interface or consult vendor documentation for firmware versionVerify Fix Applied:
After applying controls, verify HTTP GET to /setup.xml returns access denied or no sensitive data📡 Detection & Monitoring
Log Indicators:
- HTTP GET requests to /setup.xml from unauthorized sources
- Failed authentication attempts followed by successful /setup.xml access
Network Indicators:
- Unusual HTTP traffic patterns to transmitter management ports
- External IP addresses accessing /setup.xml endpoint
SIEM Query:
source_ip NOT IN (trusted_networks) AND http_request_path = '/setup.xml'