CVE-2025-57441 in ATEM Mini Pro
Summary
by MITRE • 09/22/2025
The Blackmagic ATEM Mini Pro 2.7 exposes sensitive device and stream configuration information via an unauthenticated Telnet service on port 9990. Upon connection, the attacker can access a protocol preamble that leaks the video mode, routing configuration, input/output labels, device model, and even internal identifiers such as the unique ID. This can be used for reconnaissance and planning further attacks.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 09/22/2025
The Blackmagic ATEM Mini Pro 2.7 represents a critical security vulnerability through its exposure of sensitive device configuration information via an unauthenticated Telnet service running on port 9990. This vulnerability falls under the category of information disclosure and configuration weakness, with the specific weakness classified as CWE-200 Information Exposure. The device's default configuration leaves the Telnet service accessible without proper authentication mechanisms, creating an attack surface that adversaries can exploit to gather comprehensive intelligence about the device's operational parameters.
The technical flaw manifests through the protocol preamble that is automatically transmitted upon Telnet connection establishment. This preamble contains a wealth of sensitive information including video mode specifications, routing configuration details, input and output labels, device model information, and unique internal identifiers such as the device's unique ID. The vulnerability exists because the Telnet service lacks proper access controls and authentication requirements, allowing any remote attacker to establish a connection and retrieve this information without requiring credentials or prior authorization. This design flaw aligns with ATT&CK technique T1212 Exploitation for Credential Access, where adversaries leverage unauthenticated access to extract system information.
The operational impact of this vulnerability extends beyond simple information disclosure, as the leaked configuration data provides attackers with comprehensive reconnaissance capabilities. The video mode information can reveal the device's capabilities and limitations, while routing configuration details expose how the device is connected and configured within a larger network infrastructure. Input/output labels and device model information can be used to plan more sophisticated attacks targeting specific device functionalities or known vulnerabilities in particular model versions. The unique internal identifiers pose additional risks as they can be used for device tracking, correlation with other security events, or as part of broader attack coordination efforts.
Security practitioners should consider this vulnerability in the context of the broader attack lifecycle where initial reconnaissance often determines the success rate of subsequent exploitation attempts. The exposure of internal identifiers and configuration parameters creates opportunities for attackers to develop targeted attacks against specific device configurations or to correlate this information with other security incidents. Mitigation strategies must include immediate network segmentation to isolate the device from untrusted networks, disabling the Telnet service entirely if not required for legitimate administrative purposes, and implementing proper access controls through secure remote management protocols. The vulnerability demonstrates the critical importance of secure default configurations and the principle of least privilege in network device management, as highlighted in industry standards such as NIST SP 800-41 and ISO/IEC 27001 requirements for information security controls.