Search criteria
7 vulnerabilities
CVE-2025-47415 (GCVE-0-2025-47415)
Vulnerability from cvelistv5 – Published: 2025-09-09 19:20 – Updated: 2025-09-10 15:47
VLAI?
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CRESTRON TOUCHSCREENS x70 allows Relative Path Traversal.This issue affects TOUCHSCREENS x70: from 3.000.0110.001 before 3.001.0031.001.
Confirmed Affected Hardware: TSW-760, TSW-1060
Confirmed Affected Firmware: 3.002.1061 - (no fix released, product discontinued)
For x70
The Affected Firmware:- 3.000.0110.001 and versions below
The Fixed Firmware:- 3.001.0031.001
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CRESTRON | TOUCHSCREENS x60, x70 series |
Affected:
3.000.0110.001 , < 3.001.0031.001
(custom)
|
Credits
IBM
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47415",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T15:41:57.276783Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T15:47:05.306Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "TOUCHSCREENS x60, x70 series",
"vendor": "CRESTRON",
"versions": [
{
"changes": [
{
"at": "3.001.0031.001",
"status": "unaffected"
}
],
"lessThan": "3.001.0031.001",
"status": "affected",
"version": "3.000.0110.001",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "IBM"
}
],
"datePublic": "2025-06-09T18:54:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in CRESTRON TOUCHSCREENS x70 allows Relative Path Traversal.\u003cp\u003eThis issue affects TOUCHSCREENS x70: from 3.000.0110.001 before 3.001.0031.001.\u003cbr\u003e\u003cbr\u003e\n\n\u003c/p\u003e\u003cdiv\u003e\u003cp\u003e\u003c/p\u003e\u003c/div\u003e\n\n\u003cdiv\u003e\u003cp\u003eConfirmed Affected Hardware:\u202fTSW-760, TSW-1060 \u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eConfirmed Affected Firmware:\u202f3.002.1061\u003c/span\u003e\u0026nbsp;- \u003ci\u003e(no fix released, product discontinued)\u003c/i\u003e\u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eFor x70\u202f\u0026nbsp;\u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003eThe Affected Firmware:- 3.000.0110.001 \u202fand versions below \u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003eThe Fixed Firmware:- 3.001.0031.001 \u003c/p\u003e\u003c/div\u003e\n\n\u003cdiv\u003e\u003cp\u003e \u003c/p\u003e\u003c/div\u003e\n\n\u003cbr\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in CRESTRON TOUCHSCREENS x70 allows Relative Path Traversal.This issue affects TOUCHSCREENS x70: from 3.000.0110.001 before 3.001.0031.001.\n\n\n\n\n\n\n\n\n\n\n\nConfirmed Affected Hardware:\u202fTSW-760, TSW-1060 \n\n\n\nConfirmed Affected Firmware:\u202f3.002.1061\u00a0- (no fix released, product discontinued)\n\n\n\n\u00a0\n\nFor x70\u202f\u00a0\n\n\n\nThe Affected Firmware:- 3.000.0110.001 \u202fand versions below \n\n\n\nThe Fixed Firmware:- 3.001.0031.001"
}
],
"impacts": [
{
"capecId": "CAPEC-139",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-139 Relative Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T19:20:35.244Z",
"orgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"shortName": "Crestron"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.crestron.com"
},
{
"tags": [
"patch"
],
"url": "https://www.crestron.com/Software-Firmware/Firmware/Touchpanels/TS-770-TS-1070-TSS-770-TSS-1070-TSW-570/3-002-0040-001"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "RECWAVE Filepath Traversal",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"assignerShortName": "Crestron",
"cveId": "CVE-2025-47415",
"datePublished": "2025-09-09T19:20:35.244Z",
"dateReserved": "2025-05-06T19:36:18.439Z",
"dateUpdated": "2025-09-10T15:47:05.306Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47416 (GCVE-0-2025-47416)
Vulnerability from cvelistv5 – Published: 2025-09-09 13:52 – Updated: 2025-09-09 14:06
VLAI?
Summary
A vulnerability exists in the ConsoleFindCommandMatchList function in libsymproc. so imported by ctpd that may lead to unauthorized execution of an attacker-defined file that gets prioritized by the ConsoleFindCommandMatchList.
A third-party researcher discovered that the ConsoleFindCommandMatchList enumerates the /dev/shm/symproc/c directory in alphabetical order to identify console commands. Permission levels are inferred from the integer values present in each command's file name.
Confirmed Affected Hardware: TSW-760, TSW-1060
Confirmed Affected Firmware: 3.002.1061
Fixed Firmware: no fixed released (product is discontinued and end of life)
For x70
The Affected Firmware:- 3.000.0110.001 and versions below
The Fixed Firmware:- 3.001.0031.001
Severity ?
CWE
- CWE-697 - Incorrect Comparison
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| CRESTRON | TOUCHSCREEN x70 |
Affected:
3.000.0110.001 , < 3.001.0031.001
(custom)
|
|||||||
|
|||||||||
Credits
IBM
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47416",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-09T14:06:09.910159Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T14:06:41.093Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "TOUCHSCREEN x70",
"vendor": "CRESTRON",
"versions": [
{
"changes": [
{
"at": "3.001.0031.001",
"status": "unaffected"
}
],
"lessThan": "3.001.0031.001",
"status": "affected",
"version": "3.000.0110.001",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Touchscreen x60s",
"vendor": "CRESTRON",
"versions": [
{
"status": "affected",
"version": "3.002.1061"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "IBM"
}
],
"datePublic": "2025-06-09T13:21:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability exists in the ConsoleFindCommandMatchList\u202ffunction in libsymproc. so\u202fimported by ctpd that may lead to unauthorized execution of an attacker-defined file that gets prioritized by the ConsoleFindCommandMatchList.\u003cbr\u003e\u003cbr\u003e\n\nA third-party researcher discovered that the ConsoleFindCommandMatchList\u202fenumerates the /dev/shm/symproc/c directory in alphabetical order to identify console commands. Permission levels are inferred from the integer values present in each command\u0027s file name.\u0026nbsp;\u003cbr\u003e\u003cbr\u003e\n\n\u003cdiv\u003e\u003cp\u003eConfirmed Affected Hardware:\u202fTSW-760, TSW-1060 \u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003e\u003cspan style=\"background-color: rgb(239, 250, 102);\"\u003eConfirmed Affected Firmware:\u202f3.002.1061\u0026nbsp;\u003c/span\u003e\u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003eFixed Firmware: no fixed released\u0026nbsp;\u003ci\u003e(product is discontinued and end of life)\u003c/i\u003e\u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003eFor x70\u202f\u0026nbsp;\u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003eThe Affected Firmware:- 3.000.0110.001 \u202fand versions below \u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003eThe Fixed Firmware:- 3.001.0031.001\u003c/p\u003e\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "A vulnerability exists in the ConsoleFindCommandMatchList\u202ffunction in libsymproc. so\u202fimported by ctpd that may lead to unauthorized execution of an attacker-defined file that gets prioritized by the ConsoleFindCommandMatchList.\n\n\n\nA third-party researcher discovered that the ConsoleFindCommandMatchList\u202fenumerates the /dev/shm/symproc/c directory in alphabetical order to identify console commands. Permission levels are inferred from the integer values present in each command\u0027s file name.\u00a0\n\n\n\nConfirmed Affected Hardware:\u202fTSW-760, TSW-1060 \n\n\n\nConfirmed Affected Firmware:\u202f3.002.1061\u00a0\n\n\n\nFixed Firmware: no fixed released\u00a0(product is discontinued and end of life)\n\n\n\n\u00a0\n\n\n\nFor x70\u202f\u00a0\n\n\n\nThe Affected Firmware:- 3.000.0110.001 \u202fand versions below \n\n\n\nThe Fixed Firmware:- 3.001.0031.001"
}
],
"impacts": [
{
"capecId": "CAPEC-43",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-43 Exploiting Multiple Input Interpretation Layers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-697",
"description": "CWE-697 Incorrect Comparison",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T13:52:45.855Z",
"orgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"shortName": "Crestron"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.crestron.com"
},
{
"tags": [
"patch"
],
"url": "https://www.crestron.com/Software-Firmware/Firmware/Touchpanels/TS-770-TS-1070-TSS-770-TSS-1070-TSW-570/3-002-0040-001"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ConsoleFindCommandMatchList",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"assignerShortName": "Crestron",
"cveId": "CVE-2025-47416",
"datePublished": "2025-09-09T13:52:45.855Z",
"dateReserved": "2025-05-06T19:36:18.440Z",
"dateUpdated": "2025-09-09T14:06:41.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47421 (GCVE-0-2025-47421)
Vulnerability from cvelistv5 – Published: 2025-09-03 13:49 – Updated: 2025-09-03 13:59
VLAI?
Summary
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in CRESTRON TOUCHSCREENS x70 allows Argument Injection.This issue affects TOUCHSCREENS x70: from 3.001.0031.001 through 3.001.0034.001.
A specially crafted SCP command sent via SSH login string can lead a valid administrator user to gain Privileged Operating System access on the device.
Following Products Models are affected:
TSW-x70
TSW-x60
TST-1080
AM-3000/3100/3200
Soundbar VB70
HD-PS622/621/402
HD-TXU-RXU-4kZ-211
HD-MDNXM-4KZ-E
*Note: additional firmware updates will be published once made available
Severity ?
CWE
- CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CRESTRON | TOUCHSCREENS x70 |
Affected:
3.001.0031.001 , < 3.001.0034.001
(custom)
|
Credits
Frank Slezak
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47421",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-03T13:59:12.682369Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T13:59:32.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "TOUCHSCREENS x70",
"vendor": "CRESTRON",
"versions": [
{
"lessThan": "3.001.0034.001",
"status": "affected",
"version": "3.001.0031.001",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Frank Slezak"
}
],
"datePublic": "2025-07-25T13:24:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027) vulnerability in CRESTRON TOUCHSCREENS x70 allows Argument Injection.\u003cp\u003eThis issue affects TOUCHSCREENS x70: from 3.001.0031.001 through 3.001.0034.001.\u003cbr\u003e\u003cbr\u003eA specially crafted SCP command sent via SSH login string can lead a valid administrator user to gain Privileged Operating System access on the device.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eFollowing Products Models are affected:\u003cbr\u003e\u003cbr\u003eTSW-x70 \u003cbr\u003eTSW-x60 \u003cbr\u003eTST-1080\u003cbr\u003eAM-3000/3100/3200\u003cbr\u003eSoundbar VB70\u003cbr\u003eHD-PS622/621/402\u003cbr\u003eHD-TXU-RXU-4kZ-211\u003cbr\u003eHD-MDNXM-4KZ-E\u003cbr\u003e\u003cbr\u003e*Note: additional firmware updates will be published once made available\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027) vulnerability in CRESTRON TOUCHSCREENS x70 allows Argument Injection.This issue affects TOUCHSCREENS x70: from 3.001.0031.001 through 3.001.0034.001.\n\nA specially crafted SCP command sent via SSH login string can lead a valid administrator user to gain Privileged Operating System access on the device.\n\n\nFollowing Products Models are affected:\n\nTSW-x70 \nTSW-x60 \nTST-1080\nAM-3000/3100/3200\nSoundbar VB70\nHD-PS622/621/402\nHD-TXU-RXU-4kZ-211\nHD-MDNXM-4KZ-E\n\n*Note: additional firmware updates will be published once made available"
}
],
"impacts": [
{
"capecId": "CAPEC-6",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-6 Argument Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T13:49:40.856Z",
"orgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"shortName": "Crestron"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.crestron.com"
},
{
"tags": [
"patch"
],
"url": "https://https://www.crestron.com/Software-Firmware/Firmware/Touchpanels/TS-770-TS-1070-TSS-770-TSS-1070-TSW-570/3-002-0040-001"
},
{
"tags": [
"release-notes"
],
"url": "https://https://www.crestron.com/release_notes/tsw-xx70_3.002.0040.001_release_notes.pdf"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Privilege escalation via SCP login",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"assignerShortName": "Crestron",
"cveId": "CVE-2025-47421",
"datePublished": "2025-09-03T13:49:40.856Z",
"dateReserved": "2025-05-06T19:36:18.441Z",
"dateUpdated": "2025-09-03T13:59:32.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47420 (GCVE-0-2025-47420)
Vulnerability from cvelistv5 – Published: 2025-05-06 21:33 – Updated: 2025-05-07 14:03
VLAI?
Summary
266 vulnerability in Crestron Automate VX allows Privilege Escalation.This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.
Severity ?
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crestron | Automate VX |
Affected:
5.6.8161.21536 , ≤ 6.4.0.49
(custom)
|
Credits
Crestron Electronics Inc
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47420",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T13:46:20.078463Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T14:03:50.793Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Automate VX",
"vendor": "Crestron",
"versions": [
{
"changes": [
{
"at": "6.4.1.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.4.0.49",
"status": "affected",
"version": "5.6.8161.21536",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Crestron Electronics Inc"
}
],
"datePublic": "2025-04-23T21:15:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "266 vulnerability in Crestron Automate VX allows Privilege Escalation.\u003cp\u003eThis issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.\u003c/p\u003e"
}
],
"value": "266 vulnerability in Crestron Automate VX allows Privilege Escalation.This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T21:33:39.188Z",
"orgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"shortName": "Crestron"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.crestron.com/"
},
{
"tags": [
"patch"
],
"url": "https://www.crestron.com/Software-Firmware/Software/Automate-VX-Software/6-4-1-8"
},
{
"tags": [
"release-notes"
],
"url": "https://www.crestron.com/release_notes/automate_vx_6.4.1.8_release_notes.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Crestron recommends updating to firmware version 6.4.1.8 or higher. The firmware version will applies user permissions to API requests. \u003cbr\u003e"
}
],
"value": "Crestron recommends updating to firmware version 6.4.1.8 or higher. The firmware version will applies user permissions to API requests."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "User Permissions on Network API",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Limit all API usage to users with full permissions.\n\n\u003cbr\u003e"
}
],
"value": "Limit all API usage to users with full permissions."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"assignerShortName": "Crestron",
"cveId": "CVE-2025-47420",
"datePublished": "2025-05-06T21:33:39.188Z",
"dateReserved": "2025-05-06T19:36:18.441Z",
"dateUpdated": "2025-05-07T14:03:50.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47419 (GCVE-0-2025-47419)
Vulnerability from cvelistv5 – Published: 2025-05-06 20:52 – Updated: 2025-05-07 14:03
VLAI?
Summary
Cleartext Transmission of Sensitive Information vulnerability in Crestron Automate VX allows Sniffing Network Traffic.
The device allows Web UI and API access over non-secure network ports which exposes sensitive information such as user passwords.
This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.
Severity ?
CWE
- CWE-319 - Cleartext Transmission of Sensitive Information
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crestron | Automate VX |
Affected:
5.6.8161.21536 , ≤ 6.4.0.49
(custom)
|
Credits
Crestron Electronics Inc
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47419",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T13:47:55.617300Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T14:03:57.638Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Automate VX",
"vendor": "Crestron",
"versions": [
{
"changes": [
{
"at": "6.4.1.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.4.0.49",
"status": "affected",
"version": "5.6.8161.21536",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Crestron Electronics Inc"
}
],
"datePublic": "2025-04-23T20:47:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cleartext Transmission of Sensitive Information vulnerability in Crestron Automate VX allows Sniffing Network Traffic.\u003cbr\u003e\u003cbr\u003eThe device allows Web UI and API access over non-secure network ports which exposes sensitive information such as user passwords.\n\n\u003cbr\u003e\u003cp\u003eThis issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.\u003c/p\u003e"
}
],
"value": "Cleartext Transmission of Sensitive Information vulnerability in Crestron Automate VX allows Sniffing Network Traffic.\n\nThe device allows Web UI and API access over non-secure network ports which exposes sensitive information such as user passwords.\n\n\nThis issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49."
}
],
"impacts": [
{
"capecId": "CAPEC-158",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-158 Sniffing Network Traffic"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T20:52:44.604Z",
"orgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"shortName": "Crestron"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.crestron.com/"
},
{
"tags": [
"patch"
],
"url": "https://www.crestron.com/Software-Firmware/Software/Automate-VX-Software/6-4-1-8"
},
{
"tags": [
"release-notes"
],
"url": "https://www.crestron.com/release_notes/automate_vx_6.4.1.8_release_notes.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCrestron recommends updating to firmware version 6.4.1.8 or higher. The firmware version will disables the use of unsecure ports for the Web UI and API.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Crestron recommends updating to firmware version 6.4.1.8 or higher. The firmware version will disables the use of unsecure ports for the Web UI and API."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Non-Secure Access",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Protect the device at the physical or network layer using an external firewall to prevent unauthorized configuration. \u003cbr\u003e"
}
],
"value": "Protect the device at the physical or network layer using an external firewall to prevent unauthorized configuration."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"assignerShortName": "Crestron",
"cveId": "CVE-2025-47419",
"datePublished": "2025-05-06T20:52:44.604Z",
"dateReserved": "2025-05-06T19:36:18.441Z",
"dateUpdated": "2025-05-07T14:03:57.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47418 (GCVE-0-2025-47418)
Vulnerability from cvelistv5 – Published: 2025-05-06 20:13 – Updated: 2025-05-07 14:04
VLAI?
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse.
There is no visible indication when the system is recording and recording can be enabled remotely via a network API.
This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crestron | Automate VX |
Affected:
5.6.8161.21536 , ≤ 6.4.0.49
(custom)
|
Credits
Crestron Electronics Inc
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47418",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T13:46:13.710646Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T14:04:11.178Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Automate VX",
"vendor": "Crestron",
"versions": [
{
"changes": [
{
"at": "6.4.1.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.4.0.49",
"status": "affected",
"version": "5.6.8161.21536",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Crestron Electronics Inc"
}
],
"datePublic": "2025-04-23T20:04:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse.\u003cbr\u003e\u003cbr\u003eThere is no visible indication when the system is recording and recording can be enabled remotely via a network API. \u003cbr\u003e\u003cp\u003eThis issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse.\n\nThere is no visible indication when the system is recording and recording can be enabled remotely via a network API. \nThis issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49."
}
],
"impacts": [
{
"capecId": "CAPEC-212",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-212 Functionality Misuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T20:20:24.812Z",
"orgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"shortName": "Crestron"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.crestron.com/"
},
{
"url": "https://www.crestron.com/Software-Firmware/Software/Automate-VX-Software/6-4-1-8"
},
{
"tags": [
"release-notes"
],
"url": "https://www.crestron.com/release_notes/automate_vx_6.4.1.8_release_notes.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCrestron recommends updating to firmware version 6.4.1.8 or higher. The firmware version will\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eadds \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ea\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e visual\u003c/span\u003e \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eindication\u003c/span\u003e \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eon \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ethe program \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003evideo output \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ewhen recording is \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003estarted\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u0026nbsp;\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Crestron recommends updating to firmware version 6.4.1.8 or higher. The firmware version will\u00a0adds a visual indication on the program video output when recording is started."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Recording",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eInform users in the room that they may be recorded. Also, configure the network to only allow needed systems and/or devices to access the API.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Inform users in the room that they may be recorded. Also, configure the network to only allow needed systems and/or devices to access the API."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"assignerShortName": "Crestron",
"cveId": "CVE-2025-47418",
"datePublished": "2025-05-06T20:13:38.805Z",
"dateReserved": "2025-05-06T19:36:18.441Z",
"dateUpdated": "2025-05-07T14:04:11.178Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47417 (GCVE-0-2025-47417)
Vulnerability from cvelistv5 – Published: 2025-05-06 19:49 – Updated: 2025-05-08 18:35
VLAI?
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse.
When Enable Debug Images in Crestron Automate VX is active, snapshots of the captured video or portions thereof are stored locally on the system, and there is no visible indication that this is being done.
This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crestron | Automate VX |
Affected:
5.6.8161.21536 , ≤ 6.4.0.49
(custom)
|
Credits
Crestron Electronics Inc
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47417",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T18:34:55.584949Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T18:35:06.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Automate VX",
"vendor": "Crestron",
"versions": [
{
"changes": [
{
"at": "6.4.1.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.4.0.49",
"status": "affected",
"version": "5.6.8161.21536",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Crestron Electronics Inc"
}
],
"datePublic": "2025-04-23T19:48:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse.\u003cbr\u003e\u003cbr\u003e\n\n\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eWhen Enable Debug Images in Crestron Automate VX is active, snapshots of the captured video or portions thereof are stored locally on the system, and there is no visible indication that this is being done.\u003c/span\u003e\n\n\u003cbr\u003e\u003cp\u003eThis issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse.\n\n\n\nWhen Enable Debug Images in Crestron Automate VX is active, snapshots of the captured video or portions thereof are stored locally on the system, and there is no visible indication that this is being done.\n\n\nThis issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49."
}
],
"impacts": [
{
"capecId": "CAPEC-212",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-212 Functionality Misuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T19:49:09.288Z",
"orgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"shortName": "Crestron"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.crestron.com"
},
{
"tags": [
"patch"
],
"url": "https://www.crestron.com/Software-Firmware/Software/Automate-VX-Software/6-4-1-8"
},
{
"url": "https://www.crestron.com/release_notes/automate_vx_6.4.1.8_release_notes.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Crestron recommends updating the software to firmware version\u0026nbsp;6.4.1.8 or higher. The\u0026nbsp;firmware update will automatically disables the Enable Debug Images Mode on system startup and reboot (which occurs daily), or if manually disabled, whichever occurs first, and automatically deletes captured images in 24 hours. While active, a visual overlay is applied to the program video output indicating Debug Images Enabled."
}
],
"value": "Crestron recommends updating the software to firmware version\u00a06.4.1.8 or higher. The\u00a0firmware update will automatically disables the Enable Debug Images Mode on system startup and reboot (which occurs daily), or if manually disabled, whichever occurs first, and automatically deletes captured images in 24 hours. While active, a visual overlay is applied to the program video output indicating Debug Images Enabled."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Enable Debug Images",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDeactivate Enable Debug Images and delete stored images.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Deactivate Enable Debug Images and delete stored images."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"assignerShortName": "Crestron",
"cveId": "CVE-2025-47417",
"datePublished": "2025-05-06T19:49:09.288Z",
"dateReserved": "2025-05-06T19:36:18.441Z",
"dateUpdated": "2025-05-08T18:35:06.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}