CVE-2025-5095 (CVSS 9.8): Critical Flaw in ARC Solo Broadcasting Devices Allows Unauthenticated Takeover

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory warning about a critical authentication bypass vulnerability affecting ARC Solo devices — widely used monitoring and control units in broadcasting operations. Tracked as CVE-2025-5095, the flaw carries a CVSS v3 base score of 9.8, signaling its potential for severe impact.

According to CISA, “the device’s password change mechanism can be utilized without proper authentication procedures, allowing an attacker to take over the device.” In practice, this means that an attacker could send a password change request directly to the device’s HTTP endpoint without valid credentials.

CISA warns that the “system does not enforce proper authentication or session validation, allowing the password change to proceed without verifying the request’s legitimacy.” This design flaw exposes broadcasters to the risk of unauthorized control, potentially resulting in operational disruption or locked-out administrators.

The advisory states that “successful exploitation of this vulnerability could result in an attacker gaining access to the device, locking out authorized users, or disrupting operations.” Such attacks could have serious consequences for broadcasting networks, where uptime and operational continuity are critical.

The affected version includes:

• ARC Solo: Versions prior to v1.0.62

The vulnerability was responsibly reported to CISA by Souvik Kandar of MicroSec.

Burk Technology, the device manufacturer, has released a security update. Users are urged to update to ARC Solo v1.0.62 or later, available on the Burk Technology website.

CISA also recommends adopting the following defensive measures:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Isolate control system networks and remote devices behind firewalls.
• Use secure remote access methods such as VPNs, while keeping them patched and recognizing that VPNs are only as secure as the connected devices.

Related Posts:

• IBM X-Force Uncovers Azure Arc Flaws: Hybrid-Cloud Tool Becomes Stealthy RCE & Privilege Escalation Vector
• Arc Browser Development Ceases: Meet Dia, The Browser Company’s New Focus
• NB65 released 786.2GB data from the All-Russia State Television and Radio Broadcasting Company
• The Browser Company’s New AI Browser, Dia, Comes with a $20 Monthly Subscription