CVE-2025-5095
published 2025-08-08CVE-2025-5095: Burk Technology ARC Solo's password change mechanism can be utilized without proper authentication procedures, allowing an attacker to take over the device. A…
PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.87%
54.3th percentile
Burk Technology ARC Solo's password change mechanism can be utilized without proper
authentication procedures, allowing an attacker to take over the device.
A password change request can be sent directly to the device's HTTP
endpoint without providing valid credentials. The system does not
enforce proper authentication or session validation, allowing the
password change to proceed without verifying the request's legitimacy.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| burk_technology | arc_solo | < 1.0.62 | 1.0.62 |
Detection & IOCsextracted from sources · hover to see the quote
- →Password change request can be sent directly to the device's HTTP endpoint without providing valid credentials — monitor for unauthenticated HTTP requests to the ARC Solo password change endpoint ↗
- →No session or authentication validation is enforced on the password change function — alert on password change HTTP requests that lack authentication headers or session tokens to ARC Solo devices ↗
- →Vulnerability is exploitable remotely with low attack complexity and no privileges required — prioritize detection on internet-facing or network-accessible ARC Solo devices running versions prior to v1.0.62 ↗
- ·All ARC Solo devices running firmware versions prior to v1.0.62 are vulnerable; patch to v1.0.62 or later to remediate ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f2pq-885w-7238: Burk Technology ARC Solo's password change mechanism can be utilized without proper
authentication procedures, allowing an attacker to take over the d
ghsa_unreviewed·2025-08-08
CVE-2025-5095 [CRITICAL] CWE-306 GHSA-f2pq-885w-7238: Burk Technology ARC Solo's password change mechanism can be utilized without proper
authentication procedures, allowing an attacker to take over the d
Burk Technology ARC Solo's password change mechanism can be utilized without proper
authentication procedures, allowing an attacker to take over the device.
A password change request can be sent directly to the device's HTTP
endpoint without providing valid credentials. The system does not
enforce proper authentication or session validation, allowing the
password change to proceed without verifying the request's legitimacy.
CISA ICS
Burk Technology ARC Solo
cisa_ics·2025-08-07·CVSS 9.8
[CRITICAL] Burk Technology ARC Solo
ICS Advisory
##
Burk Technology ARC Solo
Release DateAugust 07, 2025
Alert CodeICSA-25-219-03
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/Low attack complexity
- Vendor: Burk Technology
- Equipment: ARC Solo
- Vulnerability: Missing Authentication for Critical Function
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could result in an attacker gaining access to the device, locking out authorized users, or disrupting operations.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following version of ARC Solo, a monitoring and control device primariliy used in broadcasting, is affected:
- ARC Solo: Versions
No detection rules found.
No public exploits indexed.
2025-08-08
Published