CVE-2020-36922
Published: 06 January 2026
Summary
CVE-2020-36922 is a high-severity Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) vulnerability in Sony Bravia Signage. Its CVSS base score is 7.5 (High).
Operationally, ranked at the 37.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Ongoing reviews detect and remove sensitive system information before it reaches publicly accessible systems.
Employs detection to prevent unauthorized mining of sensitive system information from being exfiltrated to external control spheres.
Documenting where system information is processed and stored prevents exposure to unauthorized control spheres.
The control stops sensitive system information from crossing into unauthorized control spheres through EM emanations.
Authorization and minimization requirements keep PII out of test/research control spheres that often lack production-grade protections.
Documented categorization of system information reduces the chance that sensitive internals are left exposed to unauthorized spheres.
System information is concealed or replaced with decoys, reducing leakage to unauthorized observers.
Ensures sensitive system information is not disclosed outside the intended control sphere through error output.
NVD Description
Sony BRAVIA Digital Signage 1.7.8 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive system details through API endpoints. Attackers can retrieve network interface information, server configurations, and system metadata by sending requests to the exposed system…
more
API.
Deeper analysisAI
Sony BRAVIA Digital Signage version 1.7.8 suffers from an information disclosure vulnerability, classified as CVE-2020-36922 and mapped to CWE-497. The flaw exposes sensitive system details through API endpoints, enabling unauthenticated attackers to retrieve network interface information, server configurations, and system metadata by sending requests to the exposed system API. This issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with no effects on integrity or availability.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By targeting the exposed API endpoints, attackers gain access to detailed system information that could facilitate further reconnaissance, such as identifying network topology, server setups, or metadata for subsequent attacks on the digital signage device or connected infrastructure.
Advisories and resources for mitigation are available through several references, including Sony's official Pro BRAVIA sites at https://pro-bravia.sony.net and https://pro-bravia.sony.net/resources/software/bravia-signage/, as well as vulnerability reports from CXSecurity (https://cxsecurity.com/issue/WLB-2020120028), IBM X-Force Exchange (https://exchange.xforce.ibmcloud.com/vulnerabilities/192606), and PacketStorm (https://packetstorm.news/files/id/160343). Security practitioners should consult these for patch details or configuration guidance specific to Sony BRAVIA Digital Signage.
Details
- CWE(s)