CVE-2025-57437 Overview
CVE-2025-57437 is a critical information disclosure vulnerability affecting the Blackmagic Web Presenter HD firmware version 3.3. The device exposes sensitive configuration data through an unauthenticated Telnet service on port 9977. Upon connection, the service reveals extensive device information without requiring any authentication, including model details, version information, unique identifiers, network settings (IP, MAC, DNS), current streaming platform credentials, stream keys, streaming URLs, and audio/video configuration settings.
This vulnerability poses a significant risk to content creators and broadcast professionals who rely on the Web Presenter HD for live streaming operations. An attacker with network access can harvest streaming credentials to hijack live broadcasts or leverage the exposed network configuration data for reconnaissance and lateral movement within the target environment.
Critical Impact
Unauthenticated remote attackers can extract streaming platform credentials and stream keys, enabling live stream hijacking, unauthorized broadcast access, and network reconnaissance without any user interaction.
Affected Products
- Blackmagic Design Web Presenter HD Firmware version 3.3
- Blackmagic Design Web Presenter HD Hardware
Discovery Timeline
- 2025-09-22 - CVE-2025-57437 published to NVD
- 2025-10-10 - Last updated in NVD database
Technical Details for CVE-2025-57437
Vulnerability Analysis
This vulnerability falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The Blackmagic Web Presenter HD firmware implements a Telnet service listening on TCP port 9977 that lacks any form of authentication or access control. When a remote client establishes a connection to this port, the device immediately transmits a comprehensive dump of its configuration state.
The exposed information includes streaming platform authentication credentials such as stream keys and RTMP URLs, which are particularly sensitive as they grant direct control over live broadcast channels. An attacker who obtains these credentials can inject unauthorized content into live streams, impersonate the legitimate broadcaster, or disrupt ongoing broadcasts. Additionally, the network configuration data (IP addresses, MAC addresses, DNS settings) facilitates network mapping and can assist attackers in identifying other vulnerable devices or planning further intrusion activities.
Root Cause
The root cause of this vulnerability is the absence of authentication mechanisms on the Telnet service exposed on port 9977. The firmware developers likely implemented this service for debugging or configuration purposes but failed to restrict access to authorized personnel. The service was either inadvertently left enabled in production firmware or was designed without security considerations, treating all connecting clients as trusted entities regardless of their origin or authorization status.
Attack Vector
The attack vector is network-based and requires no privileges, user interaction, or prior authentication. An attacker simply needs network connectivity to the vulnerable device on port 9977. This can be achieved from the local network segment where the device is deployed, or potentially from the internet if the device is exposed through misconfigured firewall rules or port forwarding.
The exploitation process involves establishing a TCP connection to the target device on port 9977. Upon successful connection, the Telnet service automatically transmits all sensitive configuration data to the client. The attacker can then parse this data to extract streaming credentials, network configuration, and device identifiers for further malicious activities.
Technical details and research can be found at the GitHub CVE-2025-57437 Research repository.
Detection Methods for CVE-2025-57437
Indicators of Compromise
- Unexpected TCP connections to port 9977 on Blackmagic Web Presenter HD devices from unauthorized IP addresses
- Network traffic logs showing Telnet protocol activity on non-standard port 9977
- Unauthorized streaming activity or stream hijacking incidents following network reconnaissance
- Evidence of stream key rotation failures or duplicate streaming sessions using the same credentials
Detection Strategies
- Implement network intrusion detection rules to alert on TCP connections to port 9977 destined for media production device IP ranges
- Configure firewall logging to capture and analyze connection attempts to port 9977 on vulnerable devices
- Deploy network monitoring to identify unauthorized Telnet traffic patterns that may indicate active exploitation
- Review streaming platform logs for authentication anomalies such as simultaneous connections or geographic inconsistencies
Monitoring Recommendations
- Establish baseline network traffic patterns for Web Presenter HD devices and alert on deviations, particularly unexpected inbound connections
- Monitor streaming platform dashboards for unauthorized broadcasts or credential usage from unfamiliar locations
- Implement network segmentation monitoring to detect attempts to access broadcast equipment from unauthorized network zones
How to Mitigate CVE-2025-57437
Immediate Actions Required
- Immediately block inbound TCP connections to port 9977 on all Blackmagic Web Presenter HD devices using network firewalls or ACLs
- Rotate all streaming platform credentials (stream keys, RTMP passwords) for devices that may have been exposed
- Isolate affected devices on a dedicated VLAN with restricted network access until remediation is complete
- Audit network logs to identify any prior unauthorized access attempts to port 9977
Patch Information
At the time of publication, no vendor patch has been confirmed for this vulnerability. Organizations should monitor the Blackmagic Design Official Site for firmware updates addressing this security issue. Contact Blackmagic Design support directly to inquire about remediation timelines and available security updates.
Workarounds
- Deploy network-level access controls using firewalls to block all external and unauthorized internal access to port 9977
- Place Blackmagic Web Presenter HD devices on isolated network segments that restrict access to authorized broadcast operators only
- Implement VPN requirements for remote management of broadcast equipment to prevent exposure to untrusted networks
- Consider disabling the Telnet service if firmware configuration options permit, pending vendor guidance
# Example firewall rule to block access to vulnerable Telnet service (iptables)
iptables -A INPUT -p tcp --dport 9977 -j DROP
# Example ACL for Cisco devices to restrict access
access-list 100 deny tcp any host <WEB_PRESENTER_IP> eq 9977
access-list 100 permit ip any any
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
