Security Advisory: 2025-0002
Advisory ID: SSA-2025-0002
Severity: High
Issue Date: 2025-08-25
CVE(s): None
Synopsis: Recent software updates include security enhancements that address potential vulnerabilities in networking protocol used by certain third-party integrations.
1. Impacted Products
- All S1 and S2 Sonos Speakers with at least one authenticated (i.e., login-based, not anonymous) music service provider (MSP) integration.
- Affected versions: All releases prior to Sonos Systems release v17.1.1 (build 85.0-66270) and Sonos S1 System release v11.15.3 (build 57.22-65130)
2. Introduction
A potential vulnerability was identified in Sonos speakers that could allow an unauthorized user on the same Local Area Network (LAN) to access third-party music service tokens.
3. Third-Party Access Token Vulnerability
Known Attack Vectors: Malicious actors with access to the same Local Area Network as the Sonos speakers can subscribe to UPnP events of a speaker to obtain third-party access tokens. This issue is limited in scope and does not affect users unless a malicious actor gains access to their local network environment.
4. Recommended Mitigations
Resolution:
- For Sonos S2 System:
Users are advised to disable “UPnP” in your Sonos App settings. Doing this may impact third party control applications that use the UPnP protocol such as SonoPhone or QQMusic.
This guide explains how to disable "Legacy Integrations" on your Sonos system.
- Open the Sonos app on your device.
- Go to Account, and select Privacy & Security.
- Find the UPnP setting and set it to Off.
- For Sonos S1 System:
S1 was built on an old architecture that relies on the legacy UPnP protocol, which means this issue cannot be resolved via software update. Users are encouraged to implement the workaround outlined below to mitigate risk.
Workaround:
To reduce potential risk on S1 systems, users should ensure that only trusted individuals and devices have access to their local Wi-Fi network. Exploitation of the issue requires a device to be connected to the same LAN as the speaker system.
