The device allows access to an unprotected endpoint that allows MPFS File System binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPROM, external serial Flash, or internal Flash program memory. This file system serves as the basis for the HTTP2 web server module, but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code.

Title: Electrolink FM/DAB/TV Transmitter Pre-Auth MPFS Image Remote Code Execution  
Advisory ID: ZSL-2023-5796  
Type: Local/Remote  
Impact: Security Bypass, System Access, DoS  
Risk: (5/5)  
Release Date: 30.09.2023

**Summary**

Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television broadcasting. The most comprehensive products range includes: FM Transmitters, DAB Transmitters, TV Transmitters for analogue and digital multistandard operation, Bandpass Filters (FM, DAB, ATV, DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial switches, Manual patch panels, RF power meters, Rigid line and accessories. A professional solution that meets broadcasters needs from small community television or radio to big government networks.

Compact DAB Transmitters 10W, 100W and 250W models with 3.5" touch-screen display and in-built state of the art DAB modulator, EDI input and GPS receiver. All transmitters are equipped with a state-of-the art DAB modulator with excellent performances, self-protected and self-controlled amplifiers ensure trouble-free non-stop operation.

100W, 500W, 1kW and 2kW power range available on compact 2U and 3U 19" frame. Built-in stereo coder, touch screen display and efficient low noise air cooling system. Available models: 3kW, 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters with fully broadband solid state amplifiers and an efficient low-noise air cooling system.

FM digital modulator with excellent specifications, built-in stereo and RDS coder. Digital deviation limiter together with ASI and SDI inputs are available. These transmitters are ready for ISOFREQUENCY networks.

Available for VHF BI and VHF BIII operation with robust desing and user-friendly local and remote control. Multi-standard UHF TV transmitters from 10W up to 5kW with efficient low noise air cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC and ISDB-Tb available.

**Description**

The device allows access to an unprotected endpoint that allows MPFS File System binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPROM, external serial Flash, or internal Flash program memory. This file system serves as the basis for the HTTP2 web server module, but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code.

**Vendor**

Electrolink s.r.l. - https://www.electrolink.com

**Affected Version**

10W, 100W, 250W, Compact DAB Transmitter  
500W, 1kW, 2kW Medium DAB Transmitter  
2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter  
100W, 500W, 1kW, 2kW Compact FM Transmitter  
3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter  
15W - 40kW Digital FM Transmitter  
BI, BIII VHF TV Transmitter  
10W - 5kW UHF TV Transmitter  
Web version: 01.09, 01.08, 01.07  
Display version: 1.4, 1.2  
Control unit version: 01.06, 01.04, 01.03  
Firmware version: 2.1

**Tested On**

Mbedthis-Appweb/12.5.0  
Mbedthis-Appweb/12.0.0

**Vendor Status**

\[30.06.2023\] Vulnerability discovered.  
\[02.07.2023\] Vendor contacted.  
\[16.08.2023\] No response from the vendor.  
\[17.08.2023\] Vendor contacted.  
\[29.09.2023\] No response from the vendor.  
\[30.09.2023\] Public security advisory released.

**PoC**

electrolink\_upload.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://documentation.help/Microchip-TCP.IP-Stack/GS-MPFSUpload.html

**Changelog**

\[30.09.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Electrolink FM/DAB/TV Transmitter Pre-Auth MPFS Image Remote Code Execution

The transmitter is suffering from a Denial of Service (DoS) scenario. An unauthenticated attacker can reset the board as well as stop the transmitter operations by sending one GET request to the command.cgi gateway.

Title: Electrolink FM/DAB/TV Transmitter Unauthenticated Remote DoS  
Advisory ID: ZSL-2023-5795  
Type: Local/Remote  
Impact: DoS  
Risk: (4/5)  
Release Date: 30.09.2023

**Summary**

Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television broadcasting. The most comprehensive products range includes: FM Transmitters, DAB Transmitters, TV Transmitters for analogue and digital multistandard operation, Bandpass Filters (FM, DAB, ATV, DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial switches, Manual patch panels, RF power meters, Rigid line and accessories. A professional solution that meets broadcasters needs from small community television or radio to big government networks.

Compact DAB Transmitters 10W, 100W and 250W models with 3.5" touch-screen display and in-built state of the art DAB modulator, EDI input and GPS receiver. All transmitters are equipped with a state-of-the art DAB modulator with excellent performances, self-protected and self-controlled amplifiers ensure trouble-free non-stop operation.

100W, 500W, 1kW and 2kW power range available on compact 2U and 3U 19" frame. Built-in stereo coder, touch screen display and efficient low noise air cooling system. Available models: 3kW, 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters with fully broadband solid state amplifiers and an efficient low-noise air cooling system.

FM digital modulator with excellent specifications, built-in stereo and RDS coder. Digital deviation limiter together with ASI and SDI inputs are available. These transmitters are ready for ISOFREQUENCY networks.

Available for VHF BI and VHF BIII operation with robust desing and user-friendly local and remote control. Multi-standard UHF TV transmitters from 10W up to 5kW with efficient low noise air cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC and ISDB-Tb available.

**Description**

The transmitter is suffering from a Denial of Service (DoS) scenario. An unauthenticated attacker can reset the board as well as stop the transmitter operations by sending one GET request to the command.cgi gateway.

**Vendor**

Electrolink s.r.l. - https://www.electrolink.com

**Affected Version**

10W, 100W, 250W, Compact DAB Transmitter  
500W, 1kW, 2kW Medium DAB Transmitter  
2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter  
100W, 500W, 1kW, 2kW Compact FM Transmitter  
3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter  
15W - 40kW Digital FM Transmitter  
BI, BIII VHF TV Transmitter  
10W - 5kW UHF TV Transmitter  
Web version: 01.09, 01.08, 01.07  
Display version: 1.4, 1.2  
Control unit version: 01.06, 01.04, 01.03  
Firmware version: 2.1

**Tested On**

Mbedthis-Appweb/12.5.0  
Mbedthis-Appweb/12.0.0

**Vendor Status**

\[30.06.2023\] Vulnerability discovered.  
\[02.07.2023\] Vendor contacted.  
\[16.08.2023\] No response from the vendor.  
\[17.08.2023\] Vendor contacted.  
\[29.09.2023\] No response from the vendor.  
\[30.09.2023\] Public security advisory released.

**PoC**

electrolink\_dos.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[30.09.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Electrolink FM/DAB/TV Transmitter Unauthenticated Remote DoS

The device allows an unauthenticated attacker to bypass authentication and modify the Cookie to reveal hidden pages that allows more critical operations to the transmitter.

Title: Electrolink FM/DAB/TV Transmitter SuperAdmin Hidden Functionality  
Advisory ID: ZSL-2023-5794  
Type: Local/Remote  
Impact: Security Bypass, Privilege Escalation  
Risk: (4/5)  
Release Date: 30.09.2023

**Summary**

Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television broadcasting. The most comprehensive products range includes: FM Transmitters, DAB Transmitters, TV Transmitters for analogue and digital multistandard operation, Bandpass Filters (FM, DAB, ATV, DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial switches, Manual patch panels, RF power meters, Rigid line and accessories. A professional solution that meets broadcasters needs from small community television or radio to big government networks.

Compact DAB Transmitters 10W, 100W and 250W models with 3.5" touch-screen display and in-built state of the art DAB modulator, EDI input and GPS receiver. All transmitters are equipped with a state-of-the art DAB modulator with excellent performances, self-protected and self-controlled amplifiers ensure trouble-free non-stop operation.

100W, 500W, 1kW and 2kW power range available on compact 2U and 3U 19" frame. Built-in stereo coder, touch screen display and efficient low noise air cooling system. Available models: 3kW, 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters with fully broadband solid state amplifiers and an efficient low-noise air cooling system.

FM digital modulator with excellent specifications, built-in stereo and RDS coder. Digital deviation limiter together with ASI and SDI inputs are available. These transmitters are ready for ISOFREQUENCY networks.

Available for VHF BI and VHF BIII operation with robust desing and user-friendly local and remote control. Multi-standard UHF TV transmitters from 10W up to 5kW with efficient low noise air cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC and ISDB-Tb available.

**Description**

The device allows an unauthenticated attacker to bypass authentication and modify the Cookie to reveal hidden pages that allows more critical operations to the transmitter.

**Vendor**

Electrolink s.r.l. - https://www.electrolink.com

**Affected Version**

10W, 100W, 250W, Compact DAB Transmitter  
500W, 1kW, 2kW Medium DAB Transmitter  
2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter  
100W, 500W, 1kW, 2kW Compact FM Transmitter  
3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter  
15W - 40kW Digital FM Transmitter  
BI, BIII VHF TV Transmitter  
10W - 5kW UHF TV Transmitter  
Web version: 01.09, 01.08, 01.07  
Display version: 1.4, 1.2  
Control unit version: 01.06, 01.04, 01.03  
Firmware version: 2.1

**Tested On**

Mbedthis-Appweb/12.5.0  
Mbedthis-Appweb/12.0.0

**Vendor Status**

\[30.06.2023\] Vulnerability discovered.  
\[02.07.2023\] Vendor contacted.  
\[16.08.2023\] No response from the vendor.  
\[17.08.2023\] Vendor contacted.  
\[29.09.2023\] No response from the vendor.  
\[30.09.2023\] Public security advisory released.

**PoC**

electrolink\_hidden.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[30.09.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Electrolink FM/DAB/TV Transmitter SuperAdmin Hidden Functionality

The application suffers from a privilege escalation vulnerability. An attacker can escalate his privileges by poisoning the Cookie from GUEST to ADMIN to effectively become Administrator or poisoning to ZSL to become Super Administrator.

Title: Electrolink FM/DAB/TV Transmitter Vertical Privilege Escalation  
Advisory ID: ZSL-2023-5793  
Type: Local/Remote  
Impact: Privilege Escalation, Manipulation of Data  
Risk: (4/5)  
Release Date: 30.09.2023

**Summary**

Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television broadcasting. The most comprehensive products range includes: FM Transmitters, DAB Transmitters, TV Transmitters for analogue and digital multistandard operation, Bandpass Filters (FM, DAB, ATV, DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial switches, Manual patch panels, RF power meters, Rigid line and accessories. A professional solution that meets broadcasters needs from small community television or radio to big government networks.

Compact DAB Transmitters 10W, 100W and 250W models with 3.5" touch-screen display and in-built state of the art DAB modulator, EDI input and GPS receiver. All transmitters are equipped with a state-of-the art DAB modulator with excellent performances, self-protected and self-controlled amplifiers ensure trouble-free non-stop operation.

100W, 500W, 1kW and 2kW power range available on compact 2U and 3U 19" frame. Built-in stereo coder, touch screen display and efficient low noise air cooling system. Available models: 3kW, 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters with fully broadband solid state amplifiers and an efficient low-noise air cooling system.

FM digital modulator with excellent specifications, built-in stereo and RDS coder. Digital deviation limiter together with ASI and SDI inputs are available. These transmitters are ready for ISOFREQUENCY networks.

Available for VHF BI and VHF BIII operation with robust desing and user-friendly local and remote control. Multi-standard UHF TV transmitters from 10W up to 5kW with efficient low noise air cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC and ISDB-Tb available.

**Description**

The application suffers from a privilege escalation vulnerability. An attacker can escalate his privileges by poisoning the Cookie from GUEST to ADMIN to effectively become Administrator or poisoning to ZSL to become Super Administrator.

**Vendor**

Electrolink s.r.l. - https://www.electrolink.com

**Affected Version**

10W, 100W, 250W, Compact DAB Transmitter  
500W, 1kW, 2kW Medium DAB Transmitter  
2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter  
100W, 500W, 1kW, 2kW Compact FM Transmitter  
3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter  
15W - 40kW Digital FM Transmitter  
BI, BIII VHF TV Transmitter  
10W - 5kW UHF TV Transmitter  
Web version: 01.09, 01.08, 01.07  
Display version: 1.4, 1.2  
Control unit version: 01.06, 01.04, 01.03  
Firmware version: 2.1

**Tested On**

Mbedthis-Appweb/12.5.0  
Mbedthis-Appweb/12.0.0

**Vendor Status**

\[30.06.2023\] Vulnerability discovered.  
\[02.07.2023\] Vendor contacted.  
\[16.08.2023\] No response from the vendor.  
\[17.08.2023\] Vendor contacted.  
\[29.09.2023\] No response from the vendor.  
\[30.09.2023\] Public security advisory released.

**PoC**

electrolink\_eop.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[30.09.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Electrolink FM/DAB/TV Transmitter Vertical Privilege Escalation

The application is vulnerable to an unauthenticated parameter manipulation that allows an attacker to set the credentials to blank giving her access to the admin panel. Also vulnerable to account takeover and arbitrary password change.

Title: Electrolink FM/DAB/TV Transmitter Remote Authentication Removal  
Advisory ID: ZSL-2023-5792  
Type: Local/Remote  
Impact: Security Bypass, Privilege Escalation, System Access, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data  
Risk: (5/5)  
Release Date: 30.09.2023

**Summary**

Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television broadcasting. The most comprehensive products range includes: FM Transmitters, DAB Transmitters, TV Transmitters for analogue and digital multistandard operation, Bandpass Filters (FM, DAB, ATV, DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial switches, Manual patch panels, RF power meters, Rigid line and accessories. A professional solution that meets broadcasters needs from small community television or radio to big government networks.

Compact DAB Transmitters 10W, 100W and 250W models with 3.5" touch-screen display and in-built state of the art DAB modulator, EDI input and GPS receiver. All transmitters are equipped with a state-of-the art DAB modulator with excellent performances, self-protected and self-controlled amplifiers ensure trouble-free non-stop operation.

100W, 500W, 1kW and 2kW power range available on compact 2U and 3U 19" frame. Built-in stereo coder, touch screen display and efficient low noise air cooling system. Available models: 3kW, 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters with fully broadband solid state amplifiers and an efficient low-noise air cooling system.

FM digital modulator with excellent specifications, built-in stereo and RDS coder. Digital deviation limiter together with ASI and SDI inputs are available. These transmitters are ready for ISOFREQUENCY networks.

Available for VHF BI and VHF BIII operation with robust desing and user-friendly local and remote control. Multi-standard UHF TV transmitters from 10W up to 5kW with efficient low noise air cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC and ISDB-Tb available.

**Description**

The application is vulnerable to an unauthenticated parameter manipulation that allows an attacker to set the credentials to blank giving her access to the admin panel. Also vulnerable to account takeover and arbitrary password change.

**Vendor**

Electrolink s.r.l. - https://www.electrolink.com

**Affected Version**

10W, 100W, 250W, Compact DAB Transmitter  
500W, 1kW, 2kW Medium DAB Transmitter  
2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter  
100W, 500W, 1kW, 2kW Compact FM Transmitter  
3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter  
15W - 40kW Digital FM Transmitter  
BI, BIII VHF TV Transmitter  
10W - 5kW UHF TV Transmitter  
Web version: 01.09, 01.08, 01.07  
Display version: 1.4, 1.2  
Control unit version: 01.06, 01.04, 01.03  
Firmware version: 2.1

**Tested On**

Mbedthis-Appweb/12.5.0  
Mbedthis-Appweb/12.0.0

**Vendor Status**

\[30.06.2023\] Vulnerability discovered.  
\[02.07.2023\] Vendor contacted.  
\[16.08.2023\] No response from the vendor.  
\[17.08.2023\] Vendor contacted.  
\[29.09.2023\] No response from the vendor.  
\[30.09.2023\] Public security advisory released.

**PoC**

electrolink\_auth4.py

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[30.09.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Electrolink FM/DAB/TV Transmitter Remote Authentication Removal

The transmitter is vulnerable to an authentication bypass vulnerability affecting the Login Cookie. An attacker can set an arbitrary value except 'NO' to the Login Cookie and have full system access.

Title: Electrolink FM/DAB/TV Transmitter (Login Cookie) Authentication Bypass  
Advisory ID: ZSL-2023-5791  
Type: Local/Remote  
Impact: Security Bypass, Privilege Escalation, System Access, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data  
Risk: (5/5)  
Release Date: 30.09.2023

**Summary**

Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television broadcasting. The most comprehensive products range includes: FM Transmitters, DAB Transmitters, TV Transmitters for analogue and digital multistandard operation, Bandpass Filters (FM, DAB, ATV, DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial switches, Manual patch panels, RF power meters, Rigid line and accessories. A professional solution that meets broadcasters needs from small community television or radio to big government networks.

Compact DAB Transmitters 10W, 100W and 250W models with 3.5" touch-screen display and in-built state of the art DAB modulator, EDI input and GPS receiver. All transmitters are equipped with a state-of-the art DAB modulator with excellent performances, self-protected and self-controlled amplifiers ensure trouble-free non-stop operation.

100W, 500W, 1kW and 2kW power range available on compact 2U and 3U 19" frame. Built-in stereo coder, touch screen display and efficient low noise air cooling system. Available models: 3kW, 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters with fully broadband solid state amplifiers and an efficient low-noise air cooling system.

FM digital modulator with excellent specifications, built-in stereo and RDS coder. Digital deviation limiter together with ASI and SDI inputs are available. These transmitters are ready for ISOFREQUENCY networks.

Available for VHF BI and VHF BIII operation with robust desing and user-friendly local and remote control. Multi-standard UHF TV transmitters from 10W up to 5kW with efficient low noise air cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC and ISDB-Tb available.

**Description**

The transmitter is vulnerable to an authentication bypass vulnerability affecting the Login Cookie. An attacker can set an arbitrary value except 'NO' to the Login Cookie and have full system access.

**Vendor**

Electrolink s.r.l. - https://www.electrolink.com

**Affected Version**

10W, 100W, 250W, Compact DAB Transmitter  
500W, 1kW, 2kW Medium DAB Transmitter  
2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter  
100W, 500W, 1kW, 2kW Compact FM Transmitter  
3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter  
15W - 40kW Digital FM Transmitter  
BI, BIII VHF TV Transmitter  
10W - 5kW UHF TV Transmitter  
Web version: 01.09, 01.08, 01.07  
Display version: 1.4, 1.2  
Control unit version: 01.06, 01.04, 01.03  
Firmware version: 2.1

**Tested On**

Mbedthis-Appweb/12.5.0  
Mbedthis-Appweb/12.0.0

**Vendor Status**

\[30.06.2023\] Vulnerability discovered.  
\[02.07.2023\] Vendor contacted.  
\[16.08.2023\] No response from the vendor.  
\[17.08.2023\] Vendor contacted.  
\[29.09.2023\] No response from the vendor.  
\[30.09.2023\] Public security advisory released.

**PoC**

electrolink\_auth3.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[30.09.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Electrolink FM/DAB/TV Transmitter (Login Cookie) Authentication Bypass

The device is vulnerable to a disclosure of clear-text credentials in controlloLogin.js that can allow security bypass and system access.

Title: Electrolink FM/DAB/TV Transmitter (controlloLogin.js) Credentials Disclosure  
Advisory ID: ZSL-2023-5790  
Type: Local/Remote  
Impact: Security Bypass, Privilege Escalation, System Access, Exposure of System Information, Exposure of Sensitive Information  
Risk: (5/5)  
Release Date: 30.09.2023

**Summary**

Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television broadcasting. The most comprehensive products range includes: FM Transmitters, DAB Transmitters, TV Transmitters for analogue and digital multistandard operation, Bandpass Filters (FM, DAB, ATV, DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial switches, Manual patch panels, RF power meters, Rigid line and accessories. A professional solution that meets broadcasters needs from small community television or radio to big government networks.

Compact DAB Transmitters 10W, 100W and 250W models with 3.5" touch-screen display and in-built state of the art DAB modulator, EDI input and GPS receiver. All transmitters are equipped with a state-of-the art DAB modulator with excellent performances, self-protected and self-controlled amplifiers ensure trouble-free non-stop operation.

100W, 500W, 1kW and 2kW power range available on compact 2U and 3U 19" frame. Built-in stereo coder, touch screen display and efficient low noise air cooling system. Available models: 3kW, 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters with fully broadband solid state amplifiers and an efficient low-noise air cooling system.

FM digital modulator with excellent specifications, built-in stereo and RDS coder. Digital deviation limiter together with ASI and SDI inputs are available. These transmitters are ready for ISOFREQUENCY networks.

Available for VHF BI and VHF BIII operation with robust desing and user-friendly local and remote control. Multi-standard UHF TV transmitters from 10W up to 5kW with efficient low noise air cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC and ISDB-Tb available.

**Description**

The device is vulnerable to a disclosure of clear-text credentials in controlloLogin.js that can allow security bypass and system access.

**Vendor**

Electrolink s.r.l. - https://www.electrolink.com

**Affected Version**

10W, 100W, 250W, Compact DAB Transmitter  
500W, 1kW, 2kW Medium DAB Transmitter  
2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter  
100W, 500W, 1kW, 2kW Compact FM Transmitter  
3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter  
15W - 40kW Digital FM Transmitter  
BI, BIII VHF TV Transmitter  
10W - 5kW UHF TV Transmitter  
Web version: 01.09, 01.08, 01.07  
Display version: 1.4, 1.2  
Control unit version: 01.06, 01.04, 01.03  
Firmware version: 2.1

**Tested On**

Mbedthis-Appweb/12.5.0  
Mbedthis-Appweb/12.0.0

**Vendor Status**

\[30.06.2023\] Vulnerability discovered.  
\[02.07.2023\] Vendor contacted.  
\[16.08.2023\] No response from the vendor.  
\[17.08.2023\] Vendor contacted.  
\[29.09.2023\] No response from the vendor.  
\[30.09.2023\] Public security advisory released.

**PoC**

electrolink\_auth2.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[30.09.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Electrolink FM/DAB/TV Transmitter (controlloLogin.js) Credentials Disclosure

The device is vulnerable to a disclosure of clear-text credentials in login.htm and mail.htm that can allow security bypass and system access.

Title: Electrolink FM/DAB/TV Transmitter (login.htm/mail.htm) Credentials Disclosure  
Advisory ID: ZSL-2023-5789  
Type: Local/Remote  
Impact: Security Bypass, Privilege Escalation, System Access, Exposure of System Information, Exposure of Sensitive Information  
Risk: (5/5)  
Release Date: 30.09.2023

**Summary**

Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television broadcasting. The most comprehensive products range includes: FM Transmitters, DAB Transmitters, TV Transmitters for analogue and digital multistandard operation, Bandpass Filters (FM, DAB, ATV, DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial switches, Manual patch panels, RF power meters, Rigid line and accessories. A professional solution that meets broadcasters needs from small community television or radio to big government networks.

Compact DAB Transmitters 10W, 100W and 250W models with 3.5" touch-screen display and in-built state of the art DAB modulator, EDI input and GPS receiver. All transmitters are equipped with a state-of-the art DAB modulator with excellent performances, self-protected and self-controlled amplifiers ensure trouble-free non-stop operation.

100W, 500W, 1kW and 2kW power range available on compact 2U and 3U 19" frame. Built-in stereo coder, touch screen display and efficient low noise air cooling system. Available models: 3kW, 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters with fully broadband solid state amplifiers and an efficient low-noise air cooling system.

FM digital modulator with excellent specifications, built-in stereo and RDS coder. Digital deviation limiter together with ASI and SDI inputs are available. These transmitters are ready for ISOFREQUENCY networks.

Available for VHF BI and VHF BIII operation with robust desing and user-friendly local and remote control. Multi-standard UHF TV transmitters from 10W up to 5kW with efficient low noise air cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC and ISDB-Tb available.

**Description**

The device is vulnerable to a disclosure of clear-text credentials in login.htm and mail.htm that can allow security bypass and system access.

**Vendor**

Electrolink s.r.l. - https://www.electrolink.com

**Affected Version**

10W, 100W, 250W, Compact DAB Transmitter  
500W, 1kW, 2kW Medium DAB Transmitter  
2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter  
100W, 500W, 1kW, 2kW Compact FM Transmitter  
3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter  
15W - 40kW Digital FM Transmitter  
BI, BIII VHF TV Transmitter  
10W - 5kW UHF TV Transmitter  
Web version: 01.09, 01.08, 01.07  
Display version: 1.4, 1.2  
Control unit version: 01.06, 01.04, 01.03  
Firmware version: 2.1

**Tested On**

Mbedthis-Appweb/12.5.0  
Mbedthis-Appweb/12.0.0

**Vendor Status**

\[30.06.2023\] Vulnerability discovered.  
\[02.07.2023\] Vendor contacted.  
\[16.08.2023\] No response from the vendor.  
\[17.08.2023\] Vendor contacted.  
\[29.09.2023\] No response from the vendor.  
\[30.09.2023\] Public security advisory released.

**PoC**

electrolink\_auth.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[30.09.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Electrolink FM/DAB/TV Transmitter (login.htm/mail.htm) Credentials Disclosure

The application receives SIGABRT after RAPortCheck.createNWConnection() function is handling the SecureGatewayHost object in the RoyalTSXNativeUI. When the hostname has an array of around 1600 bytes and Test Connection is clicked the app crashes instantly.

Title: RoyalTSX 6.0.1 RTSZ File Handling Heap Memory Corruption PoC  
Advisory ID: ZSL-2023-5788  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (3/5)  
Release Date: 22.09.2023

**Summary**

Royal TS is an ideal tool for system engineers and other IT professionals who need remote access to systems with different protocols. Not only easy to use, it enables secure multi-user document sharing.

**Description**

The application receives SIGABRT after RAPortCheck.createNWConnection() function is handling the SecureGatewayHost object in the RoyalTSXNativeUI. When the hostname has an array of around 1600 bytes and Test Connection is clicked the app crashes instantly.

**Vendor**

Royal Apps GmbH - https://www.royalapps.com

**Affected Version**

6.0.1.1000 (macOS)

**Tested On**

MacOS 13.5.1 (Ventura)

**Vendor Status**

\[05.09.2023\] Vulnerability discovered.  
\[07.09.2023\] Sent crash report to the vendor.  
\[08.09.2023\] Vendor responds asking more details.  
\[08.09.2023\] Sent details to vendor.  
\[11.09.2023\] Working with the vendor.  
\[11.09.2023\] Vendor confirms this is a bug in the RotalTSX's Swift wrapper for Apple's Network framework. The fix will be included in the next upcoming minor update.  
\[12.09.2023\] Replied to the vendor.  
\[22.09.2023\] Vendor releases beta version 6.0.2.1 to address this issue.  
\[22.09.2023\] Replied to the vendor.  
\[22.09.2023\] Coordinated public security advisory released.

**PoC**

royaltsx\_mem.txt  
royaltsx\_poc.rar

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>  
High five to Felix!

**References**

\[1\] https://support.royalapps.com/support/solutions/articles/17000027755  
\[2\] https://developer.apple.com/documentation/network/nwendpoint/hostport\_host\_port  
\[3\] https://developer.apple.com/documentation/network/2976720-nw\_endpoint\_create\_host

**Changelog**

\[22.09.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

RoyalTSX 6.0.1 RTSZ File Handling Heap Memory Corruption PoC

An unauthenticated attacker can retrieve the controller's configuration backup file and extract sensitive information that can allow him/her/them to bypass security controls and penetrate the system in its entirety.

Title: Tinycontrol LAN Controller v3 (LK3) Remote Credentials Extraction PoC  
Advisory ID: ZSL-2023-5786  
Type: Local/Remote  
Impact: Security Bypass, Privilege Escalation, System Access, Exposure of System Information, Exposure of Sensitive Information  
Risk: (5/5)  
Release Date: 01.09.2023

**Summary**

Lan Controller is a very universal device that allows you to connect many different sensors and remotely view their readings and remotely control various types of outputs. It is also possible to combine both functions into an automatic if -> this with a calendar when -> then. The device provides a user interface in the form of a web page. The website presents readings of various types of sensors: temperature, humidity, pressure, voltage, current. It also allows you to configure the device, incl. event setting and controlling up to 10 outputs. Thanks to the support of many protocols, it is possible to operate from smartphones, collect and observ the results on the server, as well as cooperation with other I/O systems based on TCP/IP and Modbus.

**Description**

An unauthenticated attacker can retrieve the controller's configuration backup file and extract sensitive information that can allow him/her/them to bypass security controls and penetrate the system in its entirety.

**Vendor**

Tinycontrol - https://www.tinycontrol.pl

**Affected Version**

<=1.58a, HW 3.8

**Tested On**

lwIP

**Vendor Status**

\[18.08.2023\] Vulnerability discovered.  
\[19.08.2023\] Vendor contacted.  
\[31.08.2023\] No response from the vendor.  
\[01.09.2023\] Public security advisory released.

**PoC**

lk3\_backup.py

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[01.09.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Source

Zero Science Lab