CVE-2020-35587

HIGH

Mersive Solstice Firmware < 3.0.3 - Missing Encryption

Title source: rule

Description

In Solstice Pod before 3.0.3, the firmware can easily be decompiled/disassembled. The decompiled/disassembled files contain non-obfuscated code. NOTE: it is unclear whether lack of obfuscation is directly associated with a negative impact, or instead only facilitates an attack technique

References (4)

[Release Notes, Vendor Advisory] https://documentation.mersive.com/content/pages/release-notes.htm

[Product, Vendor Advisory] https://www.mersive.com/uk/products/solstice/

[Third Party Advisory] https://github.com/aress31/solstice-pod-cves

View Writeup ZIP pw:eip

[Third Party Advisory] https://attack.mitre.org/techniques/T1444/

Scores

CVSS v3 7.5

EPSS 0.0072

EPSS Percentile 72.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-311

Status published

Products (1)

mersive/solstice_firmware < 3.0.3

Published Dec 23, 2020

Tracked Since Feb 18, 2026