Executive Summary

CVE-2026-5569 is a critical broken access control vulnerability in the Technostrobe HI-LED-WR120-G2 obstruction lighting system, which is used on tall structures like towers and wind turbines to prevent aircraft collisions.

The device runs an embedded web server for management and remote configuration, but its authentication relies solely on insecure URL parameters (userId and keyId) without proper session management or validation.

This flaw allows attackers to bypass authentication completely and access sensitive management pages, view system status, change admin passwords, modify alarm settings, and ultimately take full control of the lighting system remotely.

The vulnerability arises because the server blindly trusts unsigned and replayable Base64-encoded tokens in the URL, enabling trivial impersonation and unauthorized actions.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in the Technostrobe HI-LED-WR120-G2 device involves broken access control that allows unauthenticated attackers to fully compromise the system, including changing admin passwords and disabling critical alerts.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the improper access controls and potential unauthorized access to sensitive system functions could lead to violations of security and privacy requirements mandated by such regulations.

Specifically, the lack of proper authentication and session management could result in unauthorized disclosure or modification of data, which may conflict with GDPR's requirements for data protection and access controls, as well as HIPAA's mandates for safeguarding electronic protected health information if applicable.

Additionally, the vulnerability poses a critical risk to aviation safety by allowing attackers to disable or manipulate obstruction lighting systems, which could have regulatory implications under aviation safety standards.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts, especially in safety-critical environments.

• Attackers can remotely take over the obstruction lighting system by changing admin passwords without authentication.
• They can disable or manipulate alarm thresholds and silence fault notifications, potentially causing critical alerts like power supply failures to go unnoticed.
• Unauthorized access to system status and configuration can lead to disruption or complete control of the lighting system.

Such control could result in the obstruction lighting failing to operate correctly, increasing the risk of aircraft collisions with tall structures.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the vulnerable endpoints on the Technostrobe HI-LED-WR120-G2 device without authentication, especially the web management interface URLs such as /Technostrobe/surveillance_generale.html, /surveillance_psu.html, /configPassword.html, /alarmConfig.html, and the /LoginCB POST endpoint.

A practical detection method is to use cURL commands to test if these endpoints allow unauthorized access or actions, such as changing the admin password without authentication.

• Use a cURL command to test password change without authentication: curl -X POST 'http://<device-ip>/LoginCB' -d 'updatePassword=0&userId=admin&newPassword=aGFja2VkIQ=='
• Attempt to access the surveillance dashboard without credentials: curl 'http://<device-ip>/Technostrobe/surveillance_generale.html?userId=any&keyId=any'
• Check if power supply monitoring data is accessible without authentication: curl 'http://<device-ip>/surveillance_psu.html'
• Try to access the password change form without authentication: curl 'http://<device-ip>/configPassword.html'
• Attempt to modify alarm configurations without authentication: curl 'http://<device-ip>/alarmConfig.html'

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable device's web management interface by network segmentation or firewall rules to prevent unauthorized remote access.

Since the firmware version 5.5.0.1R6.03.30 is unpatched and the vendor has not responded, it is critical to implement compensating controls such as:

• Block external network access to the device's HTTP management ports.
• Monitor and log all access attempts to the device for suspicious activity.
• Change default or known passwords manually if possible, and restrict physical access to the device.

Long-term remediation requires updating the device firmware to a version that implements proper authentication and access control, or replacing the device if no patch is available.

Useful 0 Not Useful 0