CVE-2025-63209

The ELCA Star Transmitter Remote Control firmware 1.25 for STAR150, BP1000, STAR300, STAR2000, STAR1000, STAR500, and possibly other models, contains an information disclosure vulnerability allowing unauthenticated attackers to retrieve admin credentials and system settings via an unprotected /setup.xml endpoint. The admin password is stored in plaintext under the <p05> XML tag, potentially leading to remote compromise of the transmitter system.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63209_ELCA%20Star%20Transmitter%20Remote%20Control%20-%20Information%20Disclosure	Exploit Third Party Advisory
https://www.elcaradio.com	Product

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:elcaradio:star150_firmware:1.25:*:*:*:*:*:*:*

cpe:2.3:h:elcaradio:star150:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:elcaradio:bp1000_firmware:1.25:*:*:*:*:*:*:*

cpe:2.3:h:elcaradio:bp1000:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:elcaradio:star300_firmware:1.25:*:*:*:*:*:*:*

cpe:2.3:h:elcaradio:star300:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:elcaradio:star2000_firmware:1.25:*:*:*:*:*:*:*

cpe:2.3:h:elcaradio:star2000:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:elcaradio:star1000_firmware:1.25:*:*:*:*:*:*:*

cpe:2.3:h:elcaradio:star1000:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:elcaradio:star500_firmware:1.25:*:*:*:*:*:*:*

cpe:2.3:h:elcaradio:star500:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-11-19 18:15

Updated : 2026-01-15 22:04

NVD link : CVE-2025-63209

Mitre link : CVE-2025-63209

CVE.ORG link : CVE-2025-63209

JSON object : View

Products Affected

elcaradio

bp1000_firmware
star150_firmware
star1000_firmware
star1000
star300_firmware
star150
star2000
bp1000
star300
star2000_firmware
star500
star500_firmware

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2025-63209", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-11-19T18:15:49.067", "references": [{"url": "https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63209_ELCA%20Star%20Transmitter%20Remote%20Control%20-%20Information%20Disclosure", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.elcaradio.com", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "The ELCA Star Transmitter Remote Control firmware 1.25 for STAR150, BP1000, STAR300, STAR2000, STAR1000, STAR500, and possibly other models, contains an information disclosure vulnerability allowing unauthenticated attackers to retrieve admin credentials and system settings via an unprotected /setup.xml endpoint. The admin password is stored in plaintext under the <p05> XML tag, potentially leading to remote compromise of the transmitter system."}], "lastModified": "2026-01-15T22:04:52.570", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:elcaradio:star150_firmware:1.25:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2DCB1D49-BDE0-40E2-B4DA-F8EF2950C731"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:elcaradio:star150:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2C404AD-4AC7-43B7-A603-F2AB6010E275"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:elcaradio:bp1000_firmware:1.25:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7CBA890D-8786-450E-B0D5-529D72DC119E"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:elcaradio:bp1000:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "97DAAC20-0678-422A-9543-8C8739DDC08F"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:elcaradio:star300_firmware:1.25:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1DCBF9FE-5E66-4302-AA53-8F7DFC97E65B"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:elcaradio:star300:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "5F73BF23-FBB1-4C30-B192-1AEE651CE351"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:elcaradio:star2000_firmware:1.25:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3F0BEFB3-10A7-4FFB-861E-BE15BB5ABEAF"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:elcaradio:star2000:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "E0400771-3687-45CA-B11B-79A535C1AC24"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:elcaradio:star1000_firmware:1.25:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "255C19F1-72A1-4034-9942-464481115DF0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:elcaradio:star1000:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "79C3C2FC-552E-497C-A780-91186FB64E1D"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:elcaradio:star500_firmware:1.25:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F28926EB-5265-45AE-9E26-E98134BDD70F"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:elcaradio:star500:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "4E4259CA-BE44-4CE2-8CFB-5573BD613BB3"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}