CVE-2021-38365
LowCVSS 3.7Exploitation Probability (EPSS)
Elevated risk63th percentile — higher than 63% of all known CVEs
Summary
A vulnerability in Winner (ToneWinner) desktop speakers up to August 9, 2021 allows remote attackers to recover speech signals from the power-indicator LED using a telescope and an electro-optical sensor, known as a 'Glowworm' attack.
Risk Assessment
The risk involves the possibility of eavesdropping on conversations in the room where the vulnerable speakers are located, without physical access to the device, potentially leading to leakage of confidential information.
Recommendation
It is recommended to replace vulnerable speakers with models that do not emit light from the LED in a way that allows speech signal recovery, or to apply physical covers over the LED.
Original NVD description (English source)
Winner (aka ToneWinner) desktop speakers through 2021-08-09 allow remote attackers to recover speech signals from the power-indicator LED via a telescope and an electro-optical sensor, aka a "Glowworm" attack.

