Overview
A critical authentication bypass vulnerability, identified as CVE-2025-63224, has been discovered in Itel DAB (Digital Audio Broadcasting) Encoders running IDEnc build 25aec8d. This vulnerability allows attackers to gain administrative access to affected devices by reusing valid JWT (JSON Web Token) tokens obtained from other devices, even across different networks and password configurations. This poses a significant security risk, potentially leading to full compromise of the affected Itel DAB Encoder.
Technical Details
The vulnerability stems from improper JWT validation within the Itel DAB Encoder’s authentication mechanism. The IDEnc firmware fails to properly verify the origin or device association of a JWT token. This means that if an attacker obtains a valid JWT from one Itel DAB Encoder, they can use that same JWT to authenticate against any other Itel DAB Encoder running the vulnerable firmware. The attack works regardless of differing passwords or network configurations between the devices. This widespread vulnerability impacts the security posture of all affected devices within an organization or across various installations.
CVSS Analysis
Currently, a CVSS score for CVE-2025-63224 is not available (N/A). However, given the nature of the vulnerability (authentication bypass leading to complete device compromise), it is highly likely that a CVSS score, when assigned, will be in the critical range. The ability to reuse JWT tokens for administrative access represents a severe security flaw.
Possible Impact
The successful exploitation of CVE-2025-63224 can lead to severe consequences, including:
- Complete Device Compromise: Attackers gain full administrative control over the Itel DAB Encoder.
- Malicious Configuration Changes: Attackers can alter device settings, potentially disrupting broadcasting services or injecting malicious content.
- Data Theft: Sensitive information stored on the encoder could be accessed and exfiltrated.
- Denial of Service: Attackers could intentionally disable the encoder, causing disruption to broadcasting operations.
- Network Pivoting: A compromised DAB Encoder can be used as a pivot point to attack other devices on the same network.
Mitigation or Patch Steps
The following steps are recommended to mitigate the risk associated with CVE-2025-63224:
- Apply the Patch: Contact Itel immediately and inquire about a security patch or firmware update that addresses the JWT validation issue. Install the patch as soon as it becomes available.
- Network Segmentation: Isolate Itel DAB Encoders on a separate network segment to limit the potential impact of a compromise.
- Monitor Network Traffic: Implement network monitoring solutions to detect suspicious activity, such as unauthorized access attempts or unusual data transfers.
- Disable Remote Access (If Possible): If remote administrative access is not strictly necessary, disable it to reduce the attack surface.
- Contact Itel Support: Reach out to Itel support for further guidance and assistance.
