Ddos 
Image: @hacker_might
A security vulnerability has been identified in Digigram’s PYKO-OUT audio-over-IP (AoIP) product, raising concerns about its use in applications such as paging, background music, and live announcements. The vulnerability, tracked as CVE-2025-3927, stems from the device’s default configuration, which does not require any login information or password.
According to a recent note from the CERT Coordination Center (CERT/CC), the PYKO-OUT AoIP’s web server, which defaults to an IP address of 192.168.0.100, lacks any authentication or authorization mechanisms. This glaring security flaw means that “any attacker who discovers the vulnerable IP address of the device to connect and manipulate it, without any authentication or authorization.”
An attacker who successfully gains access to a vulnerable device can “access its configuration, control audio outputs and inputs, and potentially pivot to other connected devices“. This unauthorized access could be used to disrupt audio broadcasts, inject malicious audio, or even use the compromised device as a stepping stone to attack other devices on the network or through connected USB drives.
Digigram has acknowledged the vulnerability but has stated that the PYKO-OUT product is end-of-life (EOL), and therefore, they will not be providing a patch to fix the default configuration. The vulnerability note advises users to manually alter the password settings within the web server’s user interface to secure their devices. While this workaround can mitigate the issue, it places the burden of security on the user. It is also important to note that “the product is no longer being sold by Digigram.”
This vulnerability highlights the critical importance of secure default configurations. The absence of a default password in the Digigram PYKO-OUT AoIP device creates a significant security risk, making it imperative for users to take immediate steps to secure their devices.
Donate