WorldCast Systems — 2 prefixes (MA-L)

WorldCast Systems is a French broadcast-technology manufacturer that holds two MA-L blocks — 00:26:04 and 00:90:3F — both registered to "WorldCast Systems" at 20 Avenue Neil Armstrong, Mérignac, France 33700, the company's Bordeaux-Mérignac headquarters. The two allocations are the only IEEE entries for the org; no MA-M or MA-S blocks exist. The hardware behind these prefixes is purpose-built broadcast infrastructure, sold under four brands: APT (IP audio and MPX codecs), Ecreso (FM/DAB/TV transmitters, 100W–10kW), Audemat (RF signal monitoring and RDS), and Kybio (an SNMP-based network-management platform). A MAC from one of these OUIs therefore signals broadcast-sector OT/ICS gear — transmitter-site LANs, studio links, remote broadcast paths — not consumer or generic IT equipment. These devices are designed to be IP-reachable for remote management (web GUI, SNMP v2/v3, RS-232, GPIO), and the vendor's own APT IP Codec manual states the unit does not handle network security and pushes that responsibility onto the operator (private network, VPN, or firewall). The security caveat worth flagging: CVE-2025-28237 (CVSS 8.8 HIGH, published 2025-04-18) is a client-side privilege-escalation flaw in Ecreso transmitter firmware v1.10.1 — a guest-credentialed attacker intercepts the /wscom JSON response and rewrites it to admin, with no server-side re-validation, yielding full device takeover. A public PoC exists. As with all OUI work, no IEEE registration date applies — IEEE publishes none, and third-party "date registered" fields are database artifacts, so allocated_date stays null.

IEEE assignment

2 prefixes → WorldCast Systems, registered Mérignac (Bordeaux), FR [Confirmed] — IEEE MA-L (oui.csv lines 635, 29765)

Registry / block size

MA-L (24-bit OUI); holds 2 IEEE prefixes — 00:26:04 and 00:90:3F [Confirmed] — IEEE oui.csv. NOTE: IEEE's public OUI data publishes NO assignment/registration date (columns are only Registry, Assignment, Organization Name, Organization Address); allocated_date is intentionally null — not fabricated.

HQ / country

20 Avenue Neil Armstrong, Parc d'Activités JF Kennedy, Bordeaux-Mérignac 33700, France (registry + corporate address; additional offices in Miami, Belfast, Kuala Lumpur) [Confirmed] — IEEE MA-L, worldcastsystems.com/en/c138p/about-us

Company status

active [Confirmed] — worldcastsystems.com

Device types

FM/DAB/TV transmitters (Ecreso 100W–10kW), IP audio/MPX codecs (APT), RF monitoring probes and RDS encoders (Audemat), network-management appliances (Kybio) [Confirmed] — worldcastsystems.com, manualslib.com (Ecreso Series)

Notable products

Ecreso transmitter series, APT IP Codec, Audemat FM/HD/DAB monitoring probes, Kybio platform

Verified prefixes (both MA-L, WorldCast Systems)

00:26:04, 00:90:3F [Confirmed] — IEEE oui.csv (lines 635, 29765)

Network exposure

devices are designed for remote IP management — Ecreso exposes a web server, SNMP agent, RS-232, and GPIO; the Ecreso web UI uses a /wscom JSON endpoint for auth/control. The APT IP Codec manual explicitly states the unit does not handle network security and places that responsibility on the operator (private network/VPN/firewall). Broadcast OT/ICS profile. [Confirmed] — APT IP Codec Manual (worldcastsystems.com), manualslib.com (Ecreso Series)

Security context

CVE-2025-28237 (published 2025-04-18; CVSS v3.1 8.8 HIGH, AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H; CWE-269/CWE-285). Improper authorization in Ecreso FM/DAB/TV transmitter firmware v1.10.1: a guest-credentialed attacker intercepts the /wscom response and rewrites the JSON ({"login@auth":{"accessRight":"admin","retVal":true}}) to escalate to admin — the server does not re-validate privilege changes server-side, yielding full device takeover. Public video PoC; no patch status confirmed in available sources; NVD notes the entry is "not scheduled for NVD enrichment efforts." [Confirmed] — nvd.nist.gov/vuln/detail/CVE-2025-28237, github.com/shiky8 PoC repo, cvedetails.com

Country of origin

France (Bordeaux-Mérignac) [Confirmed] — worldcastsystems.com/en/c138p/about-us

Analyst note

A MAC from these OUIs indicates broadcast-sector infrastructure (transmitter sites, studio LANs, remote links), not consumer/IT gear. Network exposure is intentional (remote management is a core feature), but the vendor places security responsibility on the operator. Given CVE-2025-28237's low attack complexity and network-accessible web interface, unpatched Ecreso transmitters with internet-facing management ports represent meaningful risk to broadcast uptime.