Unrated severityNVD Advisory· Published Nov 17, 2022· Updated Apr 30, 2025

CVE-2022-42982

Description

BKG Professional NtripCaster 2.0.39 allows querying information over the UDP protocol without authentication. The NTRIP sourcetable is typically quite long (tens of kBs) and can be requested with a packet of only 30 bytes. This presents a vector that can be used for UDP amplification attacks. Normally, only authenticated streaming data will be provided over UDP and not the sourcetable.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

BKG Professional NtripCaster 2.0.39 allows unauthenticated UDP requests for the large NTRIP sourcetable, enabling UDP amplification attacks.

Vulnerability

BKG Professional NtripCaster version 2.0.39 and earlier [2] responds to unauthenticated UDP requests for the NTRIP sourcetable. The sourcetable is typically tens of kilobytes in size, while a request can be as small as 30 bytes. Normally, only authenticated streaming data is provided over UDP, but the sourcetable endpoint lacks authentication, allowing anyone to request it.

Exploitation

An attacker can send a crafted UDP packet (e.g., the payload 0x80, 0x61, 0x04, 0xd2, ... as described in [2]) to the server. The server responds with the full sourcetable. No authentication or prior knowledge is required. The attacker can spoof the source IP address to direct the large response to a victim, enabling a UDP amplification attack.

Impact

The primary impact is the ability to conduct amplified DDoS attacks. The amplification factor is significant (small request, large response). While the sourcetable itself may leak information about available streams, the main consequence is network availability degradation for the victim.

Mitigation

As of the available references, no patched version has been announced. The recommended mitigation is to configure the server to reject SOURCETABLE requests over UDP and only provide authenticated streaming data via UDP [2]. Users should consult the vendor's changelog [1] for future security updates.

References

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

BKG Professional/NtripCasterdescription
BKG/Professional NtripCasterllm-create
Range: =2.0.39

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

cve.mahi.be/bkg_ntrip_udp/mitre
igs.bkg.bund.de/ntrip/bkgcastermitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000