CVE-2024-3742 Electrolink CVE debrief

Who should care

Broadcast station engineers, critical infrastructure operators, media companies, telecommunications regulators, and security teams responsible for broadcast transmission infrastructure should prioritize assessment of Electrolink deployments in their environments.

Technical summary

The vulnerability exists in the credential storage mechanism of Electrolink broadcast transmitters. Credentials are stored without encryption or hashing, exposing them to any attacker who can access the stored data. With network access to the device, an attacker could retrieve these credentials and authenticate to the transmitter's management interface. The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N indicates network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact. The 24 affected products cover the complete Electrolink transmitter portfolio across DAB, FM, and VHF/UHF TV broadcast bands.

Defensive priority

HIGH

Recommended defensive actions

• Contact Electrolink directly for security guidance and potential firmware updates
• Segment transmitter management interfaces from operational networks and untrusted zones
• Implement strong network access controls limiting management plane exposure
• Audit and rotate any credentials that may have been exposed through clear-text storage
• Monitor for unauthorized access attempts to transmitter management interfaces
• Apply CISA ICS recommended practices for defense-in-depth architecture
• Review backup and recovery procedures for broadcast transmission systems

Evidence notes

CISA advisory ICSA-24-107-02 documents clear-text credential storage across 24 Electrolink transmitter products. CVSS 3.1 score of 7.5 reflects network exploitable, low complexity, no privileges required, with high confidentiality impact. Vendor non-response confirmed in remediation section.

Official resources