BrightSign Players (Update A)

Plan PatchCVSS 8.4ICS-CERT ICSA-25-126-03May 6, 2025

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities (CVE-2025-3925 and CVE-2025-54756) in BrightSign OS series 4 and 5 players allow privilege escalation, exploitation of easily-guessable passwords, or arbitrary code execution on the underlying operating system. The vulnerabilities stem from execution with unnecessary privileges (CWE-250) and use of default passwords (CWE-1392). BrightSign has released firmware patches v8.5.53.1 for series 4 and v9.0.166 for series 5 players. Mitigation includes changing default passwords, disabling the local DWS and unnecessary SSH/telnet services, restricting physical access, and disabling unused SD/USB ports.

What this means

What could happen

An attacker with physical access to a BrightSign player could escalate privileges, exploit weak default credentials, or execute arbitrary code on the device, potentially allowing them to alter digital signage content, interrupt displays, or pivot to other network systems.

Who's at risk

Digital signage operators and facilities managers running BrightSign players (OS series 4 and 5) should apply this update. This includes retail locations, corporate offices, transportation hubs, hospitals, and any facility using BrightSign for display content management and scheduling.

How it could be exploited

An attacker with physical access to the device could leverage easily-guessable passwords or privilege escalation vulnerabilities (CWE-250: execution with unnecessary privileges, CWE-1392: default password) to gain elevated access. If SSH/telnet is enabled, remote exploitation is possible. Once compromised, the attacker can execute arbitrary code on the underlying operating system.

Prerequisites

Physical access to the BrightSign player device
Default or weak credentials left unchanged
SSH/telnet server enabled (disabled by default but can be configured)

Privilege escalation possibleDefault credentials exploitableArbitrary code execution possiblePhysical access required for most attack paths

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

BrightSign OS series 4 players: <v8.5.53.1<v8.5.53.1v8.5.53.1

BrightSign OS series 5 players: <v9.0.166<v9.0.166v9.0.166

Remediation & Mitigation

0/7

Do now

0/3

HARDENINGChange all default passwords on BrightSign devices during initial setup

WORKAROUNDDisable SSH/telnet server if not actively needed for remote management

WORKAROUNDDisable local DWS (Device Web Server) using High Security settings

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate BrightSign OS series 4 players to firmware v8.5.53.1 or later

HOTFIXUpdate BrightSign OS series 5 players to firmware v9.0.166 or later

Long-term hardening

0/2

HARDENINGDisable SD and USB ports if not needed for content updates

HARDENINGLocate BrightSign players in secured areas where unauthorized physical access is not possible

CVEs (2)

CVE-2025-3925 CVE-2025-54756

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1fa04343-dea1-45e1-90c6-0c974f4064d9

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.