Severity: High Date: December 22, 2025 Vulnerability: Unauthenticated Factory Reset Vulnerability Products Affected: - SOUND4 IMPACT/PULSE/FIRST v2 and v2.15 - SOUND4 IMPACT/PULSE/Eco 1.16 - SOUND4 BigVoice4 1.2 - SOUND4 BigVoice2 1.30 - SOUND4 CompactStream 1.1/2.4.29 - SOUND4 VVM 1.11 CVE: CVE-2023-5396 CWE: CWE-306 Missing Authentication for Critical Function CVSS Score: 8.8 CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N References: - ExploitDB-51174 - SOUND4 Official Product Homepage - Zero Science Lab Disclosure (ZSL-2022-5742) Credit: LiquidWorm as Gjoko Krstic of Zero Science Lab Description: - The /usr/cgi-bin/resetfactory.cgi endpoint in SOUND4 IMPACT/PULSE/FIRST/Eco v2.x allows remote attackers to reset device configuration via a POST request, bypassing authentication and gaining full system control.