At the PWN2own competition in Dublin last December, the participants discovered some security gaps in Sonos’ speaker systems. Now the Zero-Day initiative (ZDI) and Sonos have jointly published information about another weak point.
In the Security notification of the ZDI the authors explain that attackers from the network can carry out any code on affected speakers Sonos ERA 300. Previous authentication is not necessary.
Problem with data processing
The problem occurs when processed prepared ALAC data (Apple Lossless Audio Codec). The cause is an inadequate length test of transferred data before a copy process on a HEAP-based buffer. Increased code runs in the context of the Anacapa user account (CVE-2025-1051 / EuVD-2025-16688CVSS 8.8Risk “high“).
In the security notification, the authors do not discuss how attackers can specifically subordinate the targeted Sonos system of such manipulated alac data. The security gap closes the Player software Release V16.6 (Build 83.1-61240) or newer, which has been available for several months. Sonos’s own message is still pending.
At the end of April, Sonos had published its own security notification of the information on four other PWN2own security gaps published together with the ZDI. From this it became clear that in addition to the software version for the ERA-300 speakers, updates for other systems from the S1 series were also necessary, as they were also vulnerable. For this, the update is available to version release V11.15.1 (Build 57.22-61162) or newer, which increases the weaknesses mentioned there. It is unclear whether this is also true with the hinted -up gap.
Discover more from Apple News
Subscribe to get the latest posts sent to your email.