CVE-2025-57431

HIGH

Sound4 Pulse-eco Aes67 Firmware - Download Without Integrity Check

Title source: rule

Description

The Sound4 PULSE-ECO AES67 1.22 web-based management interface is vulnerable to Remote Code Execution (RCE) via a malicious firmware update package. The update mechanism fails to validate the integrity of manual.sh, allowing an attacker to inject arbitrary commands by modifying this script and repackaging the firmware.

References (2)

[Exploit, Third Party Advisory] https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-57431

View Exploit ZIP pw:eip

[Product] https://www.sound4.com

Scores

CVSS v3 8.8

EPSS 0.0014

EPSS Percentile 33.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-494

Status published

Products (1)

sound4/pulse-eco_aes67_firmware 1.22

Published Sep 22, 2025

Tracked Since Feb 18, 2026