CVE-2020-36922
Information Disclosure in Sony BRAVIA Digital Signage API Endpoints
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sony | bravia_digital_signage | to 1.7.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-497 | The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2020-36922 is an information disclosure vulnerability in Sony BRAVIA Digital Signage version 1.7.8 and earlier. It allows unauthenticated attackers to access sensitive system information by exploiting exposed system API endpoints. Attackers can retrieve network interface details, server configurations, system metadata, and other sensitive information without any authentication or privileges. This flaw enables attackers to gather internal system details remotely, which could facilitate further attacks or reconnaissance on the affected devices. [2, 4, 5, 6]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthenticated remote attackers to access sensitive system information such as network interface configurations (IP addresses, MAC addresses), server time, operating system details, and device version information. Exposure of this information can aid attackers in conducting further targeted attacks or reconnaissance against your Sony BRAVIA Digital Signage devices, potentially compromising your network security and operational integrity. [2, 4, 5, 6]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending unauthenticated requests to the exposed system API endpoints of the Sony BRAVIA Digital Signage device. For example, using a curl command to query the system API endpoint such as `curl http://<device-ip>:8080/api/system` can reveal sensitive system information including application version, network interface configurations, server time, operating system, and host IP address. Monitoring for such API requests or unexpected responses from these endpoints can help detect exploitation attempts. [6]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting network access to the affected Sony BRAVIA Digital Signage devices to trusted users only, such as by implementing network segmentation or firewall rules to block unauthorized access to the device's API endpoints. Additionally, monitor network traffic for suspicious API requests and consider disabling or limiting access to the vulnerable API if possible. Since the vulnerability is due to unauthenticated access to system APIs, controlling access is critical. Checking for and applying any available firmware updates or patches from Sony is also recommended, although no specific patch information is provided in the resources. [2, 4, 6]