CVE-2020-36922
Published: 06 January 2026
Summary
CVE-2020-36922 is a medium-severity Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) vulnerability in Sony Bravia Signage. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique System Network Configuration Discovery (T1016); ranked at the 28.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-22 (Publicly Accessible Content).
Deeper analysis
Sony BRAVIA Digital Signage version 1.7.8 suffers from an information disclosure vulnerability, classified as CVE-2020-36922 and mapped to CWE-497. The flaw exposes sensitive system details through API endpoints, enabling unauthenticated attackers to retrieve network interface information, server configurations, and system metadata by sending requests to the exposed system API. This issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with no effects on integrity or availability.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By targeting the exposed API endpoints, attackers gain access to detailed system information that could facilitate further reconnaissance, such as identifying network topology, server setups, or metadata for subsequent attacks on the digital signage device or connected infrastructure.
Advisories and resources for mitigation are available through several references, including Sony's official Pro BRAVIA sites at https://pro-bravia.sony.net and https://pro-bravia.sony.net/resources/software/bravia-signage/, as well as vulnerability reports from CXSecurity (https://cxsecurity.com/issue/WLB-2020120028), IBM X-Force Exchange (https://exchange.xforce.ibmcloud.com/vulnerabilities/192606), and PacketStorm (https://packetstorm.news/files/id/160343). Security practitioners should consult these for patch details or configuration guidance specific to Sony BRAVIA Digital Signage.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1017
Vulnerability details
Sony BRAVIA Digital Signage 1.7.8 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive system details through API endpoints. Attackers can retrieve network interface information, server configurations, and system metadata by sending requests to the exposed system…
more
API.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct information disclosure via exposed API enables unauthenticated retrieval of network config (T1016) and system metadata (T1082).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Limits permitted actions without identification or authentication, directly preventing unauthenticated access to sensitive system details via exposed API endpoints.
Protects security-sensitive information from unauthorized access when provided through public interfaces like the vulnerable API endpoints.
Controls access to and protects publicly accessible content, mitigating disclosure of network interfaces, server configurations, and system metadata through unauthenticated APIs.