Cyber Resilience

CVE-2020-36922

MediumPublic PoC

Published: 06 January 2026

Published
06 January 2026
Modified
22 January 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0011 28.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-36922 is a medium-severity Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) vulnerability in Sony Bravia Signage. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique System Network Configuration Discovery (T1016); ranked at the 28.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-22 (Publicly Accessible Content).

Deeper analysis

Sony BRAVIA Digital Signage version 1.7.8 suffers from an information disclosure vulnerability, classified as CVE-2020-36922 and mapped to CWE-497. The flaw exposes sensitive system details through API endpoints, enabling unauthenticated attackers to retrieve network interface information, server configurations, and system metadata by sending requests to the exposed system API. This issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with no effects on integrity or availability.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By targeting the exposed API endpoints, attackers gain access to detailed system information that could facilitate further reconnaissance, such as identifying network topology, server setups, or metadata for subsequent attacks on the digital signage device or connected infrastructure.

Advisories and resources for mitigation are available through several references, including Sony's official Pro BRAVIA sites at https://pro-bravia.sony.net and https://pro-bravia.sony.net/resources/software/bravia-signage/, as well as vulnerability reports from CXSecurity (https://cxsecurity.com/issue/WLB-2020120028), IBM X-Force Exchange (https://exchange.xforce.ibmcloud.com/vulnerabilities/192606), and PacketStorm (https://packetstorm.news/files/id/160343). Security practitioners should consult these for patch details or configuration guidance specific to Sony BRAVIA Digital Signage.

EU & UK References

Vulnerability details

Sony BRAVIA Digital Signage 1.7.8 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive system details through API endpoints. Attackers can retrieve network interface information, server configurations, and system metadata by sending requests to the exposed system…

more

API.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1016 System Network Configuration Discovery Discovery
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems.
T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Why these techniques?

Direct information disclosure via exposed API enables unauthenticated retrieval of network config (T1016) and system metadata (T1082).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2020-36923Same product: Sony Bravia Signage
CVE-2024-52367Shared CWE-497
CVE-2025-9110Shared CWE-497
CVE-2026-24523Shared CWE-497
CVE-2024-36554Shared CWE-497
CVE-2026-24377Shared CWE-497
CVE-2026-24536Shared CWE-497
CVE-2025-13651Shared CWE-497
CVE-2025-9986Shared CWE-497
CVE-2020-36885Same vendor: Sony

Affected Assets

sony
bravia signage
≤ 1.7.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Limits permitted actions without identification or authentication, directly preventing unauthenticated access to sensitive system details via exposed API endpoints.

prevent

Protects security-sensitive information from unauthorized access when provided through public interfaces like the vulnerable API endpoints.

prevent

Controls access to and protects publicly accessible content, mitigating disclosure of network interfaces, server configurations, and system metadata through unauthenticated APIs.

References