CVE-2022-50696
Published: 30 December 2025
Summary
CVE-2022-50696 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Sound4 First Firmware. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2022-50696 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) classified under CWE-798, involving hardcoded credentials embedded in the server binaries of SOUND4 IMPACT, FIRST, PULSE, and Eco devices running versions 2.x and below. These static credentials cannot be modified through normal device operations and affect the software across both Linux and Windows distributions.
Remote attackers can exploit this vulnerability without privileges or user interaction by leveraging the known hardcoded credentials to gain unauthorized access to the affected devices over the network. Exploitation enables high-impact compromise of confidentiality, integrity, and availability, potentially allowing full control over the targeted systems.
Advisories detailing the issue are available from sources including IBM XForce Exchange (https://exchange.xforce.ibmcloud.com/vulnerabilities/247949), Packet Storm Security (https://packetstormsecurity.com/files/170256/SOUND4-IMPACT-FIRST-PULSE-Eco-2.x-Hardcoded-Credentials.html), Vulncheck (https://www.vulncheck.com/advisories/sound-impactfirstpulseeco-x-hardcoded-credentials-authentication-bypass), and Zero Science Lab (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5729.php), along with the vendor site (https://www.sound4.com/). No specific patches or mitigations are detailed in the CVE description.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-55940
Vulnerability details
SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain hardcoded credentials embedded in server binaries that cannot be modified through normal device operations. Attackers can leverage these static credentials to gain unauthorized access to the device across Linux and Windows distributions without…
more
requiring user interaction.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded credentials enable remote unauthenticated access to public-facing device servers, directly facilitating Exploit Public-Facing Application (T1190) and use of Default Accounts (T1078.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
IA-5 requires verification, issuance, storage, generation, alteration, and destruction of authenticators, directly preventing the embedding and use of unmodifiable hardcoded credentials in system binaries.
SI-2 mandates identification, reporting, and timely remediation of system flaws, directly addressing the hardcoded credentials vulnerability through patching or replacement.
SC-7 monitors and controls communications at system boundaries, preventing remote network-based exploitation of the hardcoded credentials by restricting access to the vulnerable server service.