BrightSign players running BrightSign OS series 4 prior to v8.5.53.1 or
series 5 prior to v9.0.166 use a default password that is guessable with
knowledge of the device information. The latest release fixes this
issue for new installations; users of old installations are encouraged
to change all default passwords.
Credits
Adam Merrill, a member of the Adversarial Modeling and Penetration Testing (AMPT) team at Sandia National Laboratories, reported this vulnerability to CISA.
