OTPulse
FeedAboutContact

BrightSign Players (Update A)

Plan Patch8.4ICS-CERT ICSA-25-126-03May 6, 2025
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

BrightSign OS series 4 and series 5 players contain privilege escalation, weak credential, and arbitrary code execution vulnerabilities. Successful exploitation could allow an attacker to gain elevated privileges on the device or execute commands on the underlying operating system. Vulnerabilities CVE-2025-3925 and CVE-2025-54756 are addressed in BrightSign OS v8.5.53.1 (series 4) and v9.0.166 (series 5).

What this means
What could happen
An attacker with physical access to a BrightSign player could escalate privileges, exploit weak default credentials, or execute arbitrary code on the device—potentially disrupting digital signage operations or gaining control of networked display infrastructure.
Who's at risk
Organizations operating BrightSign digital signage systems (retail, transit, corporate, hospitality) should prioritize devices with physical access vulnerabilities and weak default credentials. Series 4 (v8.5.x) and Series 5 (v9.0.x) players are affected.
How it could be exploited
An attacker with physical access could boot the device into a state that allows privilege escalation or password manipulation. Alternatively, if SSH/telnet is enabled and default credentials are not changed, network-based login could lead to code execution on the underlying OS controlling the player.
Prerequisites
  • Physical access to the device OR network access to SSH/telnet port if enabled
  • Default credentials not changed (for network exploitation)
  • Device not protected by physical access controls
Default credentialsPhysical access requiredPrivilege escalation possibleArbitrary code execution possible
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
BrightSign OS series 4 players: <v8.5.53.1<v8.5.53.1v8.5.53.1
BrightSign OS series 5 players: <v9.0.166<v9.0.166v9.0.166
Remediation & Mitigation
0/7
Do now
0/3
HARDENINGChange default passwords immediately upon device setup
WORKAROUNDDisable the local DWS (Desktop Web Server) if not required for operations
WORKAROUNDDisable SSH/telnet server when not actively in use
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate BrightSign OS series 4 players to v8.5.53.1 or later
HOTFIXUpdate BrightSign OS series 5 players to v9.0.166 or later
Long-term hardening
0/2
HARDENINGPhysically secure BrightSign players in controlled locations inaccessible to unauthorized personnel
HARDENINGDisable SD and USB ports if not needed for content management
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/1fa04343-dea1-45e1-90c6-0c974f4064d9
BrightSign Players (Update A) | CVSS 8.4 - OTPulse