This page outlines how not following the recommended security policies can expose users to vulnerabilities including ZSL-2020-5595.
The BrightSign Player Security statement is intended to explain the tradeoffs between accessibility and security that users of BrightSign players need to consider for various different applications. Generally speaking, more accessible players are less secure and less accessible players are more secure.
When the Local Diagnostic Web Server is turned ON and is NOT password protected, the player is at it's most accessible. While this is the recommended configuration for development and lab applications where accessibility is preferred and often critical for troubleshooting issues and bugs, this accessibility also means that a potential bad actor have full access to storage, the runtime, the networking interface and other aspects of the system.
Consequently, any security testing that does not follow our security recommendations are not cause for action by BrightSign. Please be sure to refer to the BrightSign Player Security statement for further details.