CVE-2025-51040
BaseFortify
Publication date: 2025-08-06
Last updated on: 2025-10-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| electrolink | fm\/dab\/tv_transmitter_web_management_system | 01.07 |
| electrolink | fm\/dab\/tv_transmitter_web_management_system | 01.08 |
| electrolink | fm\/dab\/tv_transmitter_web_management_system | 01.09 |
| electrolink | medium_1kw | * |
| electrolink | medium_2kw | * |
| electrolink | medium_500w | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-51040 is an unauthorized access vulnerability in the Electrolink FM/DAB/TV Transmitter Web Management System. It affects specific versions of the Medium DAB Transmitter and Display software. An attacker can bypass authentication by directly accessing the /FrameSetCore.html endpoint via HTTP, gaining administrative control over the system. The root cause includes insecure permissions, hard-coded credentials in JavaScript files, and sensitive information exposed in client-side resources. [1]
How can this vulnerability impact me? :
This vulnerability can lead to a complete system compromise, allowing an unauthorized attacker to gain administrative access to the transmitter system. This means the attacker can control and manipulate the transmitter, potentially disrupting services, altering configurations, or causing other critical impacts to the system's operation. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the /FrameSetCore.html endpoint on the Electrolink FM/DAB/TV Transmitter Web Management System without authentication. For example, you can use commands like: curl -I http://<target-ip>/FrameSetCore.html or wget --spider http://<target-ip>/FrameSetCore.html to check if the page is accessible without credentials. Monitoring and alerting systems should also be established to detect unauthorized access attempts to this endpoint. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict access control mechanisms to restrict access to the /FrameSetCore.html endpoint, refactoring code to remove hard-coded credentials from client-side scripts, applying data masking to prevent sensitive data exposure, conducting security audits to find and fix similar vulnerabilities, and establishing monitoring and alerting systems to detect unauthorized access attempts. [1]