Advisory Details

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Alpine iLX-507 devices. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the Tidal music streaming application. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device.

01/29/25 – ZDI reported the vulnerability to the vendor.

01/30/25 – The vendor acknowledged the report.

02/24/25 – The vendor requested additional details.

02/24/25 – ZDI followed up and provided more information about the case.

07/29/25 – ZDI asked for an update and informed the vendor that the case will be published as a zero-day advisory on 08/01/25.

-- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the product.

• 2025-08-01 - Vulnerability reported to vendor
• 2025-08-01 - Coordinated public release of advisory
• 2025-08-01 - Advisory Updated