Sennheiser's HeadSetup and HeadSetup Pro software poses a cybersecurity risk, according to a vulnerability disclosure from Germany's Secorvo Security Consulting. The headphone-maker is now urging users to update to new versions of the software after researchers revealed it was installing a root certificate, along with an encrypted private key, into the Trusted Root CA Certificate store, which could enable man-in-the-middle (MITM) attacks.
Sennheiser says its update rids HeadSetup of vulnerable certificates. You can download it from the company's support site. To be clear, the problem doesn't lie with the company's hardware -- which ranges from wireless headphones to office headsets.
In the wake of Secorvo's report, Microsoft also warned users that digital certificates were disclosed in Sennheiser's apps, which could allow bad actors to remotely spoof websites or content. The flaw is being compared to the Lenovo Superfish bug from 2015: a preloaded adware on Lenovo's laptops that installed a man-in-the-middle certificate, allowing hackers to spy on secure websites users were visiting.