CVE-2025-66573 Overview
CVE-2025-66573 is an information disclosure vulnerability in Mersive Solstice Pod firmware versions 5.5 and 6.2. The device exposes an unauthenticated API endpoint at /api/config that returns sensitive runtime data. Returned fields include the active session key, server version, product details, and display name. Any network-reachable attacker can query the endpoint and harvest live session information without credentials. The flaw is classified under CWE-319 for cleartext transmission of sensitive information.
Critical Impact
Unauthenticated remote attackers can extract session keys from Solstice Pod devices, enabling unauthorized join access to active collaboration sessions and reconnaissance of meeting room infrastructure.
Affected Products
- Mersive Solstice Pod Firmware version 5.5
- Mersive Solstice Pod Firmware version 6.2
- Mersive Solstice Pod hardware appliances running affected firmware
Discovery Timeline
- 2025-12-04 - CVE-2025-66573 published to NVD
- 2025-12-23 - Last updated in NVD database
Technical Details for CVE-2025-66573
Vulnerability Analysis
The Solstice Pod web service exposes the /api/config endpoint over the network without authentication controls. The endpoint returns a JSON document containing operational metadata for the device. Among the returned fields is the active session key used by clients to join the wireless display session. Attackers can issue a single HTTP GET request and parse the response to obtain that key. With the session key in hand, an attacker on the same reachable network can join the collaboration session and view or interact with content presented to the room.
The response also reveals the firmware version and product identifiers. This metadata simplifies follow-on targeting by allowing attackers to match the device against known firmware vulnerabilities. The flaw maps to CWE-319, reflecting the exposure of sensitive material through an unauthenticated channel.
Root Cause
The /api/config handler does not enforce authentication or authorization before returning configuration data. Session-sensitive fields are included in the response by default. The design treats the configuration endpoint as public read-only metadata while serving values that gate access to the session itself.
Attack Vector
Exploitation requires only network reachability to the Solstice Pod management interface. An attacker sends an HTTP GET request to /api/config and parses the JSON response. No credentials, user interaction, or special tooling are required. Public proof-of-concept material is referenced in Exploit-DB #52104 and the VulnCheck Advisory.
Detection Methods for CVE-2025-66573
Indicators of Compromise
- HTTP GET requests to /api/config originating from clients that are not authorized management workstations.
- Repeated unauthenticated requests to Solstice Pod IP addresses from scanning ranges or unmanaged endpoints.
- Unexpected client joins to active Solstice sessions from devices outside the meeting room's known asset inventory.
Detection Strategies
- Inspect web access logs on Solstice Pod devices and upstream proxies for requests to /api/config paths.
- Correlate API access events with session-join events to identify key reuse by unauthorized clients.
- Deploy network signatures that flag HTTP responses containing Solstice configuration JSON fields traversing untrusted segments.
Monitoring Recommendations
- Forward Solstice Pod and network device logs to a centralized SIEM for retention and correlation.
- Establish a baseline of legitimate management sources and alert on deviations targeting Solstice IP ranges.
- Monitor for firmware version disclosure patterns that often precede targeted exploitation attempts.
How to Mitigate CVE-2025-66573
Immediate Actions Required
- Place Solstice Pod devices on isolated VLANs that restrict access to authorized meeting room clients only.
- Block inbound access to the Solstice management API from general user networks and the internet using firewall ACLs.
- Rotate session keys frequently and enable screen key requirements within Solstice configuration where supported.
- Inventory all Solstice Pod appliances and confirm running firmware versions against the affected list.
Patch Information
No vendor patch is referenced in the current CVE record. Administrators should consult the Mersive Solstice Documentation for firmware updates that address the unauthenticated endpoint and apply them once available.
Workarounds
- Segment Solstice Pod devices behind a dedicated firewall rule set permitting only required client subnets.
- Disable or restrict the Solstice web management interface to a management VLAN.
- Require screen keys and moderator approval for new session participants to limit value of leaked session keys.
- Use network access control to prevent unmanaged devices from reaching Solstice Pod IP addresses.
# Configuration example - restrict access to Solstice Pod API
# Example iptables rule allowing only management subnet to reach the API
iptables -A FORWARD -s 10.10.50.0/24 -d <solstice_pod_ip> -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d <solstice_pod_ip> -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
