Skip to main content

EZCast Pro II CVE-2025-13954

CRITICAL
Use of Hard-coded Credentials (CWE-798)
2025-12-10 vulnerability@ncsc.ch
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:L/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:L/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 13:30 vuln.today

DescriptionCVE.org

Hard-coded cryptographic keys in Admin UI of EZCast Pro II before version 1.17478.177 allows attackers to bypass authorization checks and gain full access to the admin UI

AnalysisAI

Authorization bypass in EZCast Pro II wireless presentation devices before firmware 1.17478.177 allows adjacent-network attackers to obtain full administrative control of the device Admin UI by leveraging hard-coded cryptographic keys (CWE-798). The flaw was reported through Switzerland's NCSC coordinated vulnerability disclosure programme and carries a CVSS v4.0 base score of 9.3 with automatable exploitation flagged in the vector. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

EZCast Pro II is a wireless screen-mirroring and presentation appliance produced by Nimbletech / Actions Microelectronics, typically deployed in meeting rooms and classrooms to relay Miracast/AirPlay/Google Cast traffic. The Admin UI is the web management interface used to configure network, firmware, and projection settings. CWE-798 (Use of Hard-coded Cryptographic Keys) means the firmware ships with embedded secrets that are identical across devices of the same build; once those keys are recovered from one firmware image they can be reused to forge authentication material or decrypt protected tokens, bypassing the normal login gate of the Admin UI. Because the keys are baked into the binary, every unpatched unit shares the same trust anchor regardless of operator-set passwords.

Affected ProductsAI

EZCast Pro II firmware versions prior to 1.17478.177 are affected; the fixed build is 1.17478.177 and later. No CPE strings were supplied in the input. The vendor reference is Nimbletech's release-notes page at https://www.nimbletech.com.tw/index.php/release-note/ and the coordinated disclosure case is published by the Swiss NCSC at https://www.ncsc.admin.ch/ncsc/en/home/infos-fuer/infos-it-spezialisten/themen/schwachstelle-melden/cvd-cases/cvd-case-1-test.html.

RemediationAI

Upgrade EZCast Pro II devices to firmware 1.17478.177 or later per the Nimbletech release notes at https://www.nimbletech.com.tw/index.php/release-note/, which is the vendor-released patch addressing the hard-coded key issue; the NCSC advisory at https://www.ncsc.admin.ch/ncsc/en/home/infos-fuer/infos-it-spezialisten/themen/schwachstelle-melden/cvd-cases/cvd-case-1-test.html provides additional disclosure context. Until firmware can be applied, place the appliances on an isolated management VLAN or dedicated SSID that is not reachable from the general user/guest WiFi (trade-off: legitimate presenters must be granted access to that segment, often via a captive-portal or pre-shared key), restrict layer-2 reachability to the Admin UI port from end-user devices using wireless client isolation or ACLs (trade-off: may break vendor mobile-app discovery features), and disable any feature that exposes the Admin UI over WAN if remote management is enabled. Rotating local Admin UI passwords does not mitigate this issue because the bypass operates via embedded keys, not credentials.

Share

CVE-2025-13954 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy