BrightSign Players (Update A)

Risk Summary

Successful exploitation of these vulnerabilities could allow privilege escalation on the device, easily-guessable passwords, or arbitrary code to be executed on the underlying operating system.

CVEs (2)

Remediations

• BrightSign fixed CVE-2025-3925 and CVE-2025-54756 in v8.5.53.1 (for series 4 players) and v9.0.166 (for series 5 players). Both of these have been released and are available on the BrightSign download site.
• BrightSign recommends the following security practices: Change default passwords when the device is initially set up. Disable the local DWS as described in "High Security settings". Disable the SSH/telnet server when not being used - it is not enabled by default. Devices should be located where attackers do not have physical access to the device. SD and USB ports can be disabled if not needed.
• For more information, please contact BrightSign via their website.

Affected Vendors

Affected Products (2)

Affected Sectors

Commercial Facilities, Financial Services, Food and Agriculture, Healthcare and Public Health