Atelmo Atemio AM 520 HD Full HD Satellite Receiver
Plan PatchCVSS 9.8ICS-CERT ICSA-24-270-03Sep 26, 2024
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The Atemio AM 520 HD Full HD Satellite Receiver contains a command injection vulnerability (CWE-78) that allows an unauthenticated attacker with network access to execute arbitrary system commands with elevated privileges. The product has been discontinued by Atelmo with no service or support available. There are no vendor patches for this vulnerability.
What this means
What could happen
An attacker who reaches this satellite receiver over the network could run arbitrary system commands with elevated privileges, potentially disrupting broadcast operations or altering receiver settings without authorization.
Who's at risk
Broadcast and media operators who use the Atemio AM 520 HD satellite receiver for content delivery or monitoring. This includes TV stations, cable distribution headends, and satellite downlink facilities.
How it could be exploited
An attacker with network access to the device (port access unspecified in advisory) can send a crafted command or request that exploits a command injection flaw in the Atemio AM 520 HD, resulting in immediate execution of arbitrary system commands.
Prerequisites
- Network access to the Atemio AM 520 HD receiver
- No authentication required
- Device must be reachable from the attacker's network segment
remotely exploitableno authentication requiredlow complexityno patch availablecritical CVSS (9.8)
Exploitability
Some exploitation risk — EPSS score 3.7%
Public Proof-of-Concept (PoC) on GitHub (1 repository)
Affected products (1)
ProductAffected VersionsFix Status
Atemio AM 520 HD: <=TitanNit_2.01≤ TitanNit 2.01No fix yet
Remediation & Mitigation
0/4
Do now
0/2HARDENINGDisconnect or isolate the Atemio AM 520 HD receiver from the network if it is not actively in use; confirm with operations whether the device is still required for satellite reception.
WORKAROUNDRestrict network access to the satellite receiver using firewall rules; only allow connections from authorized management or control systems on your network.
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGPlace the satellite receiver on a segmented network or VLAN that is isolated from your main broadcast or operational networks and business network.
HARDENINGIf remote access to the receiver is required, require all connections to go through a VPN or jump server with authentication controls; do not expose the device directly to untrusted networks.
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/87df5d0e-a75c-4c95-ba31-a3002c6e0b4fGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.