CVE-2023-7328

MEDIUM

Screen SFT DAB 600/C Firmware <= 1.9.3 - Unauthenticated Information Disclosure via User Management API

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-7328. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit demonstrates an unauthenticated information disclosure vulnerability in Screen SFT DAB 600/C devices. By sending a crafted HTTP request to the `userManager.cgx` endpoint, an attacker can retrieve sensitive user information, including usernames, roles, and IP addresses.

Description

Screen SFT DAB 600/C firmware versions up to and including 1.9.3 contain an improper access control on the user management API allows unauthenticated requests to retrieve structured user data, including account names and connection metadata such as client IP and timeout values.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textremotehardware

https://www.exploit-db.com/exploits/51460

View Code ZIP pw:eip

This exploit demonstrates an unauthenticated information disclosure vulnerability in Screen SFT DAB 600/C devices. By sending a crafted HTTP request to the `userManager.cgx` endpoint, an attacker can retrieve sensitive user information, including usernames, roles, and IP addresses.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Screen SFT DAB 600/C with Firmware 1.9.3, Bios firmware 7.1, Gui 2.46, FPGA 169.55, uc 6.15

No auth needed

Prerequisites: Network access to the target device · The `userManager.cgx` endpoint must be exposed

MITRE ATT&CK

T1592 - Gather Victim Host Information T1087 - Account Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Exploit exploit

https://www.exploit-db.com/exploits/51460

Product product

https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/

Exploit, Third Party Advisory technical-description exploit

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5776.php

Third Party Advisory exploit

https://packetstormsecurity.com/files/172332/

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/screen-sft-dab-600c-unauthenticated-information-disclosure

Scores

CVSS v3 5.3

EPSS 0.0030

EPSS Percentile 21.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-306

Status published

Products (2)

DB Elettronica Telecomunicazioni SpA/Screen SFT DAB 600/C < 1.9.3

dbbroadcast/sft_dab_600\/c_firmware < 1.9.3

Published Nov 14, 2025

Tracked Since Feb 18, 2026