CVE-2020-36923

CriticalPublic PoC

Published: 06 January 2026

Published

06 January 2026

Modified

22 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0024 46.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Sony BRAVIA Digital Signage 1.7.8 contains an insecure direct object reference vulnerability that allows attackers to bypass authorization controls. Attackers can access hidden system resources like '/#/content-creation' by manipulating client-side access restrictions.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources, directly preventing IDOR bypasses of client-side restrictions via server-side checks.

SC-14 Public Access Protections good match

prevent

Protects publicly accessible interfaces from unauthorized use, mitigating network-exploitable unauthenticated access to hidden resources like '/#/content-creation'.

SI-10 Information Input Validation partial match

prevent

Validates manipulated inputs such as object references, reducing the risk of insecure direct object reference exploitation.

Security SummaryAI

CVE-2020-36923 is an insecure direct object reference vulnerability (CWE-639) in Sony BRAVIA Digital Signage version 1.7.8. The flaw enables attackers to bypass authorization controls by manipulating client-side access restrictions, allowing unauthorized access to hidden system resources such as '/#/content-creation'.

With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability is exploitable over the network by unauthenticated attackers requiring low complexity and no user interaction. Exploitation can result in high impacts to confidentiality, integrity, and availability, as attackers gain access to restricted system resources.

Advisories and related resources for mitigation details are available at the following references: https://cxsecurity.com/issue/WLB-2020120031, https://exchange.xforce.ibmcloud.com/vulnerabilities/192607, https://packetstormsecurity.com/files/160344, https://pro-bravia.sony.net, and https://pro-bravia.sony.net/resources/software/bravia-signage/.

Details

CWE(s): CWE-639

Affected Products

sony

bravia signage

≤ 1.7.8

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The IDOR vulnerability in the Sony BRAVIA Digital Signage web interface allows unauthenticated remote attackers to bypass authorization and access hidden system resources, directly mapping to exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://cxsecurity.com/issue/WLB-2020120031
Third Party Advisory · disclosure@vulncheck.com
https://exchange.xforce.ibmcloud.com/vulnerabilities/192607
Third Party Advisory · disclosure@vulncheck.com
https://packetstormsecurity.com/files/160344
Third Party Advisory · disclosure@vulncheck.com
https://pro-bravia.sony.net
Product · disclosure@vulncheck.com
https://pro-bravia.sony.net/resources/software/bravia-signage/
Product · disclosure@vulncheck.com
https://pro.sony/ue_US/products/display-software
Product · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/sony-bravia-digital-signage-client-side-protection-bypass-via-idor
Third Party Advisory · disclosure@vulncheck.com
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5611.php
Exploit, Third Party Advisory · disclosure@vulncheck.com
https://www.zeroscience.mk/codes/sonybravia_idor.txt
Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5611.php
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0