CVE-2024-22186 Electrolink CVE debrief

Who should care

Broadcast station engineers, critical infrastructure operators, media organizations, and ICS security teams managing over-the-air transmission equipment should prioritize assessment given the HIGH severity and lack of vendor remediation.

Technical summary

The Electrolink transmitter web application fails to properly validate session cookies, allowing a low-privileged guest user to modify cookie values and escalate to administrative privileges. This represents a broken access control vulnerability (CWE-269) with network attack vector, low attack complexity, and low privileges required. The CVSS 3.1 score of 8.8 reflects high impacts to confidentiality, integrity, and availability. All 24 affected transmitter products use the same vulnerable web management interface across DAB, FM, and TV broadcast product lines. No firmware update or patch is available from the vendor as of advisory publication.

Defensive priority

HIGH

Recommended defensive actions

• Restrict web management interface access to dedicated, segmented management networks with IP allowlisting
• Implement TLS inspection and cookie integrity monitoring for transmitter management sessions
• Deploy network monitoring to detect anomalous privilege escalation patterns from guest accounts
• Contact Electrolink directly for security updates given vendor non-response to CISA coordination
• Apply CISA ICS recommended practices for defense-in-depth in broadcast infrastructure environments

Evidence notes

CISA ICS Advisory ICSA-24-107-02 documents this vulnerability with CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The advisory confirms Electrolink's non-response to mitigation coordination. Affected products span 24 transmitter models including 10W-5kW DAB, 100W-30kW FM, and VHF/UHF TV transmitters.

Official resources