Vulnerabilities > Crestron
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-01-23 | CVE-2023-6926 | OS Command Injection vulnerability in Crestron Am-300 Firmware 1.4499.00018 There is an OS command injection vulnerability in Crestron AM-300 firmware version 1.4499.00018 which may enable a user of a limited-access SSH session to escalate their privileges to root-level access. | 7.8 |
| 2023-07-17 | CVE-2023-38405 | Unspecified vulnerability in Crestron products On Crestron 3-Series Control Systems before 1.8001.0187, crafting and sending a specific BACnet packet can cause a crash. | 7.5 |
| 2022-09-23 | CVE-2022-40298 | Incorrect Permission Assignment for Critical Resource vulnerability in Crestron Airmedia 4.3.1.39 Crestron AirMedia for Windows before 5.5.1.84 has insecure inherited permissions, which leads to a privilege escalation vulnerability found in the AirMedia Windows Application, version 4.3.1.39. | 8.8 |
| 2022-09-13 | CVE-2022-34101 | Uncontrolled Search Path Element vulnerability in Crestron Airmedia 4.3.1.39 A vulnerability was discovered in the Crestron AirMedia Windows Application, version 4.3.1.39, in which a user can place a malicious DLL in a certain path to execute code and preform a privilege escalation attack. | 7.8 |
| 2022-09-13 | CVE-2022-34102 | Unspecified vulnerability in Crestron Airmedia 4.3.1.39 Insufficient access control vulnerability was discovered in the Crestron AirMedia Windows Application, version 4.3.1.39, in which a user can pause the uninstallation of an executable to gain a SYSTEM level command prompt. | 8.8 |
| 2022-09-13 | CVE-2022-34100 | Unspecified vulnerability in Crestron Airmedia 4.3.1.39 A vulnerability was discovered in the Crestron AirMedia Windows Application, version 4.3.1.39, in which a low-privileged user can gain a SYSTEM level command prompt by pre-staging a file structure prior to the installation of a trusted service executable and change permissions on that file structure during a repair operation. | 8.8 |
| 2022-01-15 | CVE-2022-23178 | Improper Authentication vulnerability in Crestron Hd-Md4X2-4K-E Firmware 1.0.0.2159 An issue was discovered on Crestron HD-MD4X2-4K-E 1.0.0.2159 devices. | 9.8 |
| 2021-07-30 | CVE-2020-16839 | Improper Authentication vulnerability in Crestron products On Crestron DM-NVX-DIR, DM-NVX-DIR80, and DM-NVX-ENT devices before the DM-XIO/1-0-3-802 patch, the password can be changed by sending an unauthenticated WebSocket request. | 7.5 |
| 2019-11-27 | CVE-2019-18184 | OS Command Injection vulnerability in Crestron Dmc-Stro Firmware 1.0 Crestron DMC-STRO 1.0 devices allow remote command execution as root via shell metacharacters to the ping function. | 9.8 |
| 2019-04-30 | CVE-2019-3939 | Use of Hard-coded Credentials vulnerability in Crestron Am-100 Firmware and Am-101 Firmware Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 use default credentials admin/admin and moderator/moderator for the web interface. | 9.8 |