{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/360686#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nDigigrams PYKO-OUT audio-over-IP (AoIP) product is used for audio decoding and intended for various uses such as paging, background music, live announcements and others. It has hardware compatibility with two analog mono outputs and a USB port for storing local playlists. The product does not require a password by default, and when opened to the Internet, can allow attackers access to the device, where they can then pivot to attacking adjacent connected devices or compromise the device's functionality. \r\n\r\n### Description\r\n\r\nDigigram is an audio-based hardware and software vendor, providing various products including sound cards, AoIP gateways, and speaker-related support software. Digigram sells a PYKO-OUT audio-over-IP product that is used for audio decoding and intended for various uses such as paging, background music, and live announcements. \r\n\r\nA vulnerability has been discovered within the web-server component of the PYKO-OUT AoIP, where the default configuration does not require any login information or password. This web server spawns on  192.168.0.100 by default. The lack of log-in credentials allows any attacker who discovers the vulnerable IP address of the device to connect and manipulate it, without any authentication or authorization. \r\n\r\nAn attacker who gains access to the device can access its configuration, control audio outputs and inputs, and potentially pivot to other connected devices, whether this be through network connections, or by placing malicious files in a connected USB device. \r\n\r\n### Impact\r\nAn attacker with access to a vulnerable device can access the devices configuration, control audio-over-IP data streams managed by the device, and pivot to other network and physical connected devices, such as through a connected USB thumb drive. \r\n\r\n### Solution\r\nDigigram has marked this product as EOL and will not be providing a patch to change the default configuration. Users can alter the password settings within the web server UI and force attempted connections to provide a password. Additionally, the product is no longer being sold by Digigram. \r\n\r\n### Acknowledgements\r\nThanks to the reporter, Souvik Kandar. Additional thanks to CERT-FR. This document was written by Christopher Cullen.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"The notification of End of Life of PYKO OUT has been announced to DIGIGRAM customers and distributors on March 2024. \r\nThere is currently no more device available from our stock.","title":"Vendor statment from Digigram"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/360686"},{"url":"https://www.digigram.com/download/pyko-out-user-manual-en-jan-2019/","summary":"https://www.digigram.com/download/pyko-out-user-manual-en-jan-2019/"},{"url":"https://www.digigram.com/products/audio-over-ip-gateways/pyko-out-stereo-ip-audio-decoder/","summary":"https://www.digigram.com/products/audio-over-ip-gateways/pyko-out-stereo-ip-audio-decoder/"},{"url":"https://medium.com/@hacker_might/exposed-digigram-pyko-out-aoip-devices-accessible-online-without-login-cve-2025-3927-8f74307ba4c1","summary":"https://medium.com/@hacker_might/exposed-digigram-pyko-out-aoip-devices-accessible-online-without-login-cve-2025-3927-8f74307ba4c1"}],"title":"Digigram PYKO-OUT audio-over-IP (AoIP) does not require a password by default","tracking":{"current_release_date":"2025-05-02T14:37:04+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#360686","initial_release_date":"2025-05-02 14:37:04.308351+00:00","revision_history":[{"date":"2025-05-02T14:37:04+00:00","number":"1.20250502143704.1","summary":"Released on 2025-05-02T14:37:04+00:00"}],"status":"final","version":"1.20250502143704.1"}},"vulnerabilities":[{"title":"Digigram's PYKO-OUT audio-over-IP (AoIP) web-server does not require a password by default, allowing any attacker with the target IP address to connect and compromise the device, potentially pivoting to connected network or hardware devices.","notes":[{"category":"summary","text":"Digigram's PYKO-OUT audio-over-IP (AoIP) web-server does not require a password by default, allowing any attacker with the target IP address to connect and compromise the device, potentially pivoting to connected network or hardware devices."}],"cve":"CVE-2025-3927","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#360686"}],"product_status":{"known_not_affected":["CSAFPID-55025866-3544-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Digigram","product":{"name":"Digigram Products","product_id":"CSAFPID-55025866-3544-11f1-8422-122e2785dc9f"}}]}}