CVE-2025-63220

Published: Nov 19, 2025Modified: Jan 8, 2026

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

The Sound4 FIRST web-based management interface is vulnerable to Remote Code Execution (RCE) via a malicious firmware update package. The update mechanism fails to validate the integrity of manual.sh, allowing an attacker to inject arbitrary commands by modifying this script and repackaging the firmware.

Affected (1)

Products: Sound4: First Firmware

1 product

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Sound4 First Firmware	Version 2.33

Running on/with	Platform Versions
Sound4 First	All versions

Related CWEs

Download of Code Without Integrity Check

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

References (4)

https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63220_Sound4%20FIRST%20RCE

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.sound4helpdesk.com/

Source: cve@mitre.org

Product

https://www.sound4helpdesk.com/first-downloads/

Source: cve@mitre.org

Product

https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63220_Sound4%20FIRST%20RCE

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitThird Party Advisory

Timeline

No history available yet.