CVE-2025-54756 BrightSign CVE debrief

Who should care

Administrators and fleet operators managing BrightSign digital-signage players, especially environments running BrightSign OS series 4 or 5 versions below the fixed releases. Security teams responsible for credential hygiene on embedded or kiosk-style devices should also review affected deployments.

Technical summary

According to the CISA CSAF advisory, BrightSign players running BrightSign OS series 4 prior to v8.5.53.1 or series 5 prior to v9.0.166 use a default password that can be guessed with knowledge of device information. The advisory states the latest release fixes the issue for new installations, while older installations should have all default passwords changed. The supplied CVSS v3.1 vector is AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, with a score of 8.4 (HIGH).

Defensive priority

High

Recommended defensive actions

• Upgrade BrightSign OS series 4 players to v8.5.53.1 or later.
• Upgrade BrightSign OS series 5 players to v9.0.166 or later.
• Change all default passwords on existing installations, not just new deployments.
• Disable the local DWS feature if it is not required, per BrightSign guidance.
• Disable SSH/telnet when not in use.
• Limit physical access to players and disable SD/USB ports if they are not needed.

Evidence notes

The supplied CISA CSAF advisory (ICSA-25-126-03) identifies the affected products, the fixed versions, and the recommendation to change default passwords on older installations. The CVE was published on 2025-05-06 and later updated on 2026-01-29 with Update A that added CVE-2025-54756 to the advisory metadata. No KEV listing is present in the supplied data.

Official resources