Search criteria
8 vulnerabilities found for Automate VX by Crestron
CVE-2025-47420 (GCVE-0-2025-47420)
Vulnerability from cvelistv5 – Published: 2025-05-06 21:33 – Updated: 2025-05-07 14:03
VLAI?
Title
User Permissions on Network API
Summary
266 vulnerability in Crestron Automate VX allows Privilege Escalation.This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.
Severity ?
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crestron | Automate VX |
Affected:
5.6.8161.21536 , ≤ 6.4.0.49
(custom)
|
Credits
Crestron Electronics Inc
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47420",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T13:46:20.078463Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T14:03:50.793Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Automate VX",
"vendor": "Crestron",
"versions": [
{
"changes": [
{
"at": "6.4.1.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.4.0.49",
"status": "affected",
"version": "5.6.8161.21536",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Crestron Electronics Inc"
}
],
"datePublic": "2025-04-23T21:15:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "266 vulnerability in Crestron Automate VX allows Privilege Escalation.\u003cp\u003eThis issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.\u003c/p\u003e"
}
],
"value": "266 vulnerability in Crestron Automate VX allows Privilege Escalation.This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T21:33:39.188Z",
"orgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"shortName": "Crestron"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.crestron.com/"
},
{
"tags": [
"patch"
],
"url": "https://www.crestron.com/Software-Firmware/Software/Automate-VX-Software/6-4-1-8"
},
{
"tags": [
"release-notes"
],
"url": "https://www.crestron.com/release_notes/automate_vx_6.4.1.8_release_notes.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Crestron recommends updating to firmware version 6.4.1.8 or higher. The firmware version will applies user permissions to API requests. \u003cbr\u003e"
}
],
"value": "Crestron recommends updating to firmware version 6.4.1.8 or higher. The firmware version will applies user permissions to API requests."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "User Permissions on Network API",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Limit all API usage to users with full permissions.\n\n\u003cbr\u003e"
}
],
"value": "Limit all API usage to users with full permissions."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"assignerShortName": "Crestron",
"cveId": "CVE-2025-47420",
"datePublished": "2025-05-06T21:33:39.188Z",
"dateReserved": "2025-05-06T19:36:18.441Z",
"dateUpdated": "2025-05-07T14:03:50.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47419 (GCVE-0-2025-47419)
Vulnerability from cvelistv5 – Published: 2025-05-06 20:52 – Updated: 2025-05-07 14:03
VLAI?
Title
Non-Secure Access
Summary
Cleartext Transmission of Sensitive Information vulnerability in Crestron Automate VX allows Sniffing Network Traffic.
The device allows Web UI and API access over non-secure network ports which exposes sensitive information such as user passwords.
This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.
Severity ?
CWE
- CWE-319 - Cleartext Transmission of Sensitive Information
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crestron | Automate VX |
Affected:
5.6.8161.21536 , ≤ 6.4.0.49
(custom)
|
Credits
Crestron Electronics Inc
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47419",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T13:47:55.617300Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T14:03:57.638Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Automate VX",
"vendor": "Crestron",
"versions": [
{
"changes": [
{
"at": "6.4.1.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.4.0.49",
"status": "affected",
"version": "5.6.8161.21536",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Crestron Electronics Inc"
}
],
"datePublic": "2025-04-23T20:47:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cleartext Transmission of Sensitive Information vulnerability in Crestron Automate VX allows Sniffing Network Traffic.\u003cbr\u003e\u003cbr\u003eThe device allows Web UI and API access over non-secure network ports which exposes sensitive information such as user passwords.\n\n\u003cbr\u003e\u003cp\u003eThis issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.\u003c/p\u003e"
}
],
"value": "Cleartext Transmission of Sensitive Information vulnerability in Crestron Automate VX allows Sniffing Network Traffic.\n\nThe device allows Web UI and API access over non-secure network ports which exposes sensitive information such as user passwords.\n\n\nThis issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49."
}
],
"impacts": [
{
"capecId": "CAPEC-158",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-158 Sniffing Network Traffic"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T20:52:44.604Z",
"orgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"shortName": "Crestron"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.crestron.com/"
},
{
"tags": [
"patch"
],
"url": "https://www.crestron.com/Software-Firmware/Software/Automate-VX-Software/6-4-1-8"
},
{
"tags": [
"release-notes"
],
"url": "https://www.crestron.com/release_notes/automate_vx_6.4.1.8_release_notes.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCrestron recommends updating to firmware version 6.4.1.8 or higher. The firmware version will disables the use of unsecure ports for the Web UI and API.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Crestron recommends updating to firmware version 6.4.1.8 or higher. The firmware version will disables the use of unsecure ports for the Web UI and API."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Non-Secure Access",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Protect the device at the physical or network layer using an external firewall to prevent unauthorized configuration. \u003cbr\u003e"
}
],
"value": "Protect the device at the physical or network layer using an external firewall to prevent unauthorized configuration."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"assignerShortName": "Crestron",
"cveId": "CVE-2025-47419",
"datePublished": "2025-05-06T20:52:44.604Z",
"dateReserved": "2025-05-06T19:36:18.441Z",
"dateUpdated": "2025-05-07T14:03:57.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47418 (GCVE-0-2025-47418)
Vulnerability from cvelistv5 – Published: 2025-05-06 20:13 – Updated: 2025-05-07 14:04
VLAI?
Title
Recording
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse.
There is no visible indication when the system is recording and recording can be enabled remotely via a network API.
This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crestron | Automate VX |
Affected:
5.6.8161.21536 , ≤ 6.4.0.49
(custom)
|
Credits
Crestron Electronics Inc
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47418",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T13:46:13.710646Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T14:04:11.178Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Automate VX",
"vendor": "Crestron",
"versions": [
{
"changes": [
{
"at": "6.4.1.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.4.0.49",
"status": "affected",
"version": "5.6.8161.21536",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Crestron Electronics Inc"
}
],
"datePublic": "2025-04-23T20:04:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse.\u003cbr\u003e\u003cbr\u003eThere is no visible indication when the system is recording and recording can be enabled remotely via a network API. \u003cbr\u003e\u003cp\u003eThis issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse.\n\nThere is no visible indication when the system is recording and recording can be enabled remotely via a network API. \nThis issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49."
}
],
"impacts": [
{
"capecId": "CAPEC-212",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-212 Functionality Misuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T20:20:24.812Z",
"orgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"shortName": "Crestron"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.crestron.com/"
},
{
"url": "https://www.crestron.com/Software-Firmware/Software/Automate-VX-Software/6-4-1-8"
},
{
"tags": [
"release-notes"
],
"url": "https://www.crestron.com/release_notes/automate_vx_6.4.1.8_release_notes.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCrestron recommends updating to firmware version 6.4.1.8 or higher. The firmware version will\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eadds \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ea\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e visual\u003c/span\u003e \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eindication\u003c/span\u003e \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eon \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ethe program \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003evideo output \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ewhen recording is \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003estarted\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u0026nbsp;\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Crestron recommends updating to firmware version 6.4.1.8 or higher. The firmware version will\u00a0adds a visual indication on the program video output when recording is started."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Recording",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eInform users in the room that they may be recorded. Also, configure the network to only allow needed systems and/or devices to access the API.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Inform users in the room that they may be recorded. Also, configure the network to only allow needed systems and/or devices to access the API."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"assignerShortName": "Crestron",
"cveId": "CVE-2025-47418",
"datePublished": "2025-05-06T20:13:38.805Z",
"dateReserved": "2025-05-06T19:36:18.441Z",
"dateUpdated": "2025-05-07T14:04:11.178Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47417 (GCVE-0-2025-47417)
Vulnerability from cvelistv5 – Published: 2025-05-06 19:49 – Updated: 2025-05-08 18:35
VLAI?
Title
Enable Debug Images
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse.
When Enable Debug Images in Crestron Automate VX is active, snapshots of the captured video or portions thereof are stored locally on the system, and there is no visible indication that this is being done.
This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crestron | Automate VX |
Affected:
5.6.8161.21536 , ≤ 6.4.0.49
(custom)
|
Credits
Crestron Electronics Inc
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47417",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T18:34:55.584949Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T18:35:06.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Automate VX",
"vendor": "Crestron",
"versions": [
{
"changes": [
{
"at": "6.4.1.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.4.0.49",
"status": "affected",
"version": "5.6.8161.21536",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Crestron Electronics Inc"
}
],
"datePublic": "2025-04-23T19:48:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse.\u003cbr\u003e\u003cbr\u003e\n\n\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eWhen Enable Debug Images in Crestron Automate VX is active, snapshots of the captured video or portions thereof are stored locally on the system, and there is no visible indication that this is being done.\u003c/span\u003e\n\n\u003cbr\u003e\u003cp\u003eThis issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse.\n\n\n\nWhen Enable Debug Images in Crestron Automate VX is active, snapshots of the captured video or portions thereof are stored locally on the system, and there is no visible indication that this is being done.\n\n\nThis issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49."
}
],
"impacts": [
{
"capecId": "CAPEC-212",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-212 Functionality Misuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T19:49:09.288Z",
"orgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"shortName": "Crestron"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.crestron.com"
},
{
"tags": [
"patch"
],
"url": "https://www.crestron.com/Software-Firmware/Software/Automate-VX-Software/6-4-1-8"
},
{
"url": "https://www.crestron.com/release_notes/automate_vx_6.4.1.8_release_notes.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Crestron recommends updating the software to firmware version\u0026nbsp;6.4.1.8 or higher. The\u0026nbsp;firmware update will automatically disables the Enable Debug Images Mode on system startup and reboot (which occurs daily), or if manually disabled, whichever occurs first, and automatically deletes captured images in 24 hours. While active, a visual overlay is applied to the program video output indicating Debug Images Enabled."
}
],
"value": "Crestron recommends updating the software to firmware version\u00a06.4.1.8 or higher. The\u00a0firmware update will automatically disables the Enable Debug Images Mode on system startup and reboot (which occurs daily), or if manually disabled, whichever occurs first, and automatically deletes captured images in 24 hours. While active, a visual overlay is applied to the program video output indicating Debug Images Enabled."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Enable Debug Images",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDeactivate Enable Debug Images and delete stored images.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Deactivate Enable Debug Images and delete stored images."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"assignerShortName": "Crestron",
"cveId": "CVE-2025-47417",
"datePublished": "2025-05-06T19:49:09.288Z",
"dateReserved": "2025-05-06T19:36:18.441Z",
"dateUpdated": "2025-05-08T18:35:06.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47420 (GCVE-0-2025-47420)
Vulnerability from nvd – Published: 2025-05-06 21:33 – Updated: 2025-05-07 14:03
VLAI?
Title
User Permissions on Network API
Summary
266 vulnerability in Crestron Automate VX allows Privilege Escalation.This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.
Severity ?
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crestron | Automate VX |
Affected:
5.6.8161.21536 , ≤ 6.4.0.49
(custom)
|
Credits
Crestron Electronics Inc
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47420",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T13:46:20.078463Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T14:03:50.793Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Automate VX",
"vendor": "Crestron",
"versions": [
{
"changes": [
{
"at": "6.4.1.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.4.0.49",
"status": "affected",
"version": "5.6.8161.21536",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Crestron Electronics Inc"
}
],
"datePublic": "2025-04-23T21:15:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "266 vulnerability in Crestron Automate VX allows Privilege Escalation.\u003cp\u003eThis issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.\u003c/p\u003e"
}
],
"value": "266 vulnerability in Crestron Automate VX allows Privilege Escalation.This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T21:33:39.188Z",
"orgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"shortName": "Crestron"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.crestron.com/"
},
{
"tags": [
"patch"
],
"url": "https://www.crestron.com/Software-Firmware/Software/Automate-VX-Software/6-4-1-8"
},
{
"tags": [
"release-notes"
],
"url": "https://www.crestron.com/release_notes/automate_vx_6.4.1.8_release_notes.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Crestron recommends updating to firmware version 6.4.1.8 or higher. The firmware version will applies user permissions to API requests. \u003cbr\u003e"
}
],
"value": "Crestron recommends updating to firmware version 6.4.1.8 or higher. The firmware version will applies user permissions to API requests."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "User Permissions on Network API",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Limit all API usage to users with full permissions.\n\n\u003cbr\u003e"
}
],
"value": "Limit all API usage to users with full permissions."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"assignerShortName": "Crestron",
"cveId": "CVE-2025-47420",
"datePublished": "2025-05-06T21:33:39.188Z",
"dateReserved": "2025-05-06T19:36:18.441Z",
"dateUpdated": "2025-05-07T14:03:50.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47419 (GCVE-0-2025-47419)
Vulnerability from nvd – Published: 2025-05-06 20:52 – Updated: 2025-05-07 14:03
VLAI?
Title
Non-Secure Access
Summary
Cleartext Transmission of Sensitive Information vulnerability in Crestron Automate VX allows Sniffing Network Traffic.
The device allows Web UI and API access over non-secure network ports which exposes sensitive information such as user passwords.
This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.
Severity ?
CWE
- CWE-319 - Cleartext Transmission of Sensitive Information
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crestron | Automate VX |
Affected:
5.6.8161.21536 , ≤ 6.4.0.49
(custom)
|
Credits
Crestron Electronics Inc
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47419",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T13:47:55.617300Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T14:03:57.638Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Automate VX",
"vendor": "Crestron",
"versions": [
{
"changes": [
{
"at": "6.4.1.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.4.0.49",
"status": "affected",
"version": "5.6.8161.21536",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Crestron Electronics Inc"
}
],
"datePublic": "2025-04-23T20:47:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cleartext Transmission of Sensitive Information vulnerability in Crestron Automate VX allows Sniffing Network Traffic.\u003cbr\u003e\u003cbr\u003eThe device allows Web UI and API access over non-secure network ports which exposes sensitive information such as user passwords.\n\n\u003cbr\u003e\u003cp\u003eThis issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.\u003c/p\u003e"
}
],
"value": "Cleartext Transmission of Sensitive Information vulnerability in Crestron Automate VX allows Sniffing Network Traffic.\n\nThe device allows Web UI and API access over non-secure network ports which exposes sensitive information such as user passwords.\n\n\nThis issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49."
}
],
"impacts": [
{
"capecId": "CAPEC-158",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-158 Sniffing Network Traffic"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T20:52:44.604Z",
"orgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"shortName": "Crestron"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.crestron.com/"
},
{
"tags": [
"patch"
],
"url": "https://www.crestron.com/Software-Firmware/Software/Automate-VX-Software/6-4-1-8"
},
{
"tags": [
"release-notes"
],
"url": "https://www.crestron.com/release_notes/automate_vx_6.4.1.8_release_notes.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCrestron recommends updating to firmware version 6.4.1.8 or higher. The firmware version will disables the use of unsecure ports for the Web UI and API.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Crestron recommends updating to firmware version 6.4.1.8 or higher. The firmware version will disables the use of unsecure ports for the Web UI and API."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Non-Secure Access",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Protect the device at the physical or network layer using an external firewall to prevent unauthorized configuration. \u003cbr\u003e"
}
],
"value": "Protect the device at the physical or network layer using an external firewall to prevent unauthorized configuration."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"assignerShortName": "Crestron",
"cveId": "CVE-2025-47419",
"datePublished": "2025-05-06T20:52:44.604Z",
"dateReserved": "2025-05-06T19:36:18.441Z",
"dateUpdated": "2025-05-07T14:03:57.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47418 (GCVE-0-2025-47418)
Vulnerability from nvd – Published: 2025-05-06 20:13 – Updated: 2025-05-07 14:04
VLAI?
Title
Recording
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse.
There is no visible indication when the system is recording and recording can be enabled remotely via a network API.
This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crestron | Automate VX |
Affected:
5.6.8161.21536 , ≤ 6.4.0.49
(custom)
|
Credits
Crestron Electronics Inc
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47418",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T13:46:13.710646Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T14:04:11.178Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Automate VX",
"vendor": "Crestron",
"versions": [
{
"changes": [
{
"at": "6.4.1.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.4.0.49",
"status": "affected",
"version": "5.6.8161.21536",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Crestron Electronics Inc"
}
],
"datePublic": "2025-04-23T20:04:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse.\u003cbr\u003e\u003cbr\u003eThere is no visible indication when the system is recording and recording can be enabled remotely via a network API. \u003cbr\u003e\u003cp\u003eThis issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse.\n\nThere is no visible indication when the system is recording and recording can be enabled remotely via a network API. \nThis issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49."
}
],
"impacts": [
{
"capecId": "CAPEC-212",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-212 Functionality Misuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T20:20:24.812Z",
"orgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"shortName": "Crestron"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.crestron.com/"
},
{
"url": "https://www.crestron.com/Software-Firmware/Software/Automate-VX-Software/6-4-1-8"
},
{
"tags": [
"release-notes"
],
"url": "https://www.crestron.com/release_notes/automate_vx_6.4.1.8_release_notes.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCrestron recommends updating to firmware version 6.4.1.8 or higher. The firmware version will\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eadds \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ea\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e visual\u003c/span\u003e \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eindication\u003c/span\u003e \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eon \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ethe program \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003evideo output \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ewhen recording is \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003estarted\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u0026nbsp;\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Crestron recommends updating to firmware version 6.4.1.8 or higher. The firmware version will\u00a0adds a visual indication on the program video output when recording is started."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Recording",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eInform users in the room that they may be recorded. Also, configure the network to only allow needed systems and/or devices to access the API.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Inform users in the room that they may be recorded. Also, configure the network to only allow needed systems and/or devices to access the API."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"assignerShortName": "Crestron",
"cveId": "CVE-2025-47418",
"datePublished": "2025-05-06T20:13:38.805Z",
"dateReserved": "2025-05-06T19:36:18.441Z",
"dateUpdated": "2025-05-07T14:04:11.178Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47417 (GCVE-0-2025-47417)
Vulnerability from nvd – Published: 2025-05-06 19:49 – Updated: 2025-05-08 18:35
VLAI?
Title
Enable Debug Images
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse.
When Enable Debug Images in Crestron Automate VX is active, snapshots of the captured video or portions thereof are stored locally on the system, and there is no visible indication that this is being done.
This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crestron | Automate VX |
Affected:
5.6.8161.21536 , ≤ 6.4.0.49
(custom)
|
Credits
Crestron Electronics Inc
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47417",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T18:34:55.584949Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T18:35:06.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Automate VX",
"vendor": "Crestron",
"versions": [
{
"changes": [
{
"at": "6.4.1.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.4.0.49",
"status": "affected",
"version": "5.6.8161.21536",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Crestron Electronics Inc"
}
],
"datePublic": "2025-04-23T19:48:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse.\u003cbr\u003e\u003cbr\u003e\n\n\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eWhen Enable Debug Images in Crestron Automate VX is active, snapshots of the captured video or portions thereof are stored locally on the system, and there is no visible indication that this is being done.\u003c/span\u003e\n\n\u003cbr\u003e\u003cp\u003eThis issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse.\n\n\n\nWhen Enable Debug Images in Crestron Automate VX is active, snapshots of the captured video or portions thereof are stored locally on the system, and there is no visible indication that this is being done.\n\n\nThis issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49."
}
],
"impacts": [
{
"capecId": "CAPEC-212",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-212 Functionality Misuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T19:49:09.288Z",
"orgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"shortName": "Crestron"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.crestron.com"
},
{
"tags": [
"patch"
],
"url": "https://www.crestron.com/Software-Firmware/Software/Automate-VX-Software/6-4-1-8"
},
{
"url": "https://www.crestron.com/release_notes/automate_vx_6.4.1.8_release_notes.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Crestron recommends updating the software to firmware version\u0026nbsp;6.4.1.8 or higher. The\u0026nbsp;firmware update will automatically disables the Enable Debug Images Mode on system startup and reboot (which occurs daily), or if manually disabled, whichever occurs first, and automatically deletes captured images in 24 hours. While active, a visual overlay is applied to the program video output indicating Debug Images Enabled."
}
],
"value": "Crestron recommends updating the software to firmware version\u00a06.4.1.8 or higher. The\u00a0firmware update will automatically disables the Enable Debug Images Mode on system startup and reboot (which occurs daily), or if manually disabled, whichever occurs first, and automatically deletes captured images in 24 hours. While active, a visual overlay is applied to the program video output indicating Debug Images Enabled."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Enable Debug Images",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDeactivate Enable Debug Images and delete stored images.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Deactivate Enable Debug Images and delete stored images."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"assignerShortName": "Crestron",
"cveId": "CVE-2025-47417",
"datePublished": "2025-05-06T19:49:09.288Z",
"dateReserved": "2025-05-06T19:36:18.441Z",
"dateUpdated": "2025-05-08T18:35:06.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}