CVE-2025-57431

Published: Sep 22, 2025Modified: Oct 14, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

The Sound4 PULSE-ECO AES67 1.22 web-based management interface is vulnerable to Remote Code Execution (RCE) via a malicious firmware update package. The update mechanism fails to validate the integrity of manual.sh, allowing an attacker to inject arbitrary commands by modifying this script and repackaging the firmware.

Affected (1)

Products: Sound4: Pulse Eco Aes67 Firmware

1 product

Pulse Eco Aes67 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Sound4 Pulse Eco Aes67 Firmware	Version 1.22

Running on/with	Platform Versions
Sound4 Pulse Eco Aes67	All versions

Related CWEs

Download of Code Without Integrity Check

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

References (2)

https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-57431

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.sound4.com

Source: cve@mitre.org

Product

Timeline

No history available yet.