Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A hidden console command is vulnerable to command injection flaw when control characters are passed to its second argument.
A third party researcher Eugene Lim had discovered vulnerability in the way console command passes to a popen function call. Attackers with authenticated access to SSH console of Crestron devices may use to run underlying OS commands.
AnalysisAI
Command injection in Crestron Touchpanels (X60/X70 series) allows authenticated SSH users to execute arbitrary OS commands via control characters in a hidden console command's second argument. Discovered by Eugene Lim, this popen-based injection requires high privilege SSH access and high attack complexity. CVSS 7.4 with CVSS:4.0 metrics indicates network vector (AV:N) but requires high privileges (PR:H) and high complexity (AC:H), limiting real-world exploitation to scenarios where attackers have already compromised SSH credentials. Vendor patch available (firmware 3.003.0015.001). No active exploitation or public POC identified at time of analysis.
Technical ContextAI
This vulnerability affects Crestron touchpanel products (TS-770, TS-1070, TSS-770, TSS-1070, TSW-570 series) through an improper neutralization of special elements in OS command (CWE-88). The flaw exists in a hidden console command that passes user-supplied input containing control characters directly to a popen() system call without sanitization. The popen() function creates a shell process and executes commands, making it a common attack surface for command injection when input validation is insufficient. Control characters (ASCII 0x00-0x1F) can manipulate shell interpretation, allowing command chaining, subshell execution, or argument injection. The CPE string identifies Crestron Electronics touchpanel products with hardware designations X60/X70, which are typically deployed as building automation controllers in commercial/industrial environments with network-connected management interfaces.
RemediationAI
Apply vendor-released firmware update 3.003.0015.001 available from https://www.crestron.com/Software-Firmware/Firmware/Touchpanels/TS-770-TS-1070-TSS-770-TSS-1070-TSW-570/3-003-0015-001. Review release notes at https://www.crestron.com/release_notes/tsw-xx70_3.003.0015.001_release_notes.pdf before deployment to identify any breaking changes or compatibility requirements. If immediate patching is not feasible, implement compensating controls: restrict SSH access to the touchpanel management interface to specific trusted IP ranges via firewall rules (blocks network vector but may impact remote management workflows), disable SSH service entirely if console access can be performed through physical serial connections (eliminates attack vector but requires on-site technician access for troubleshooting), implement SSH key-based authentication with certificate authorities and disable password authentication (raises attacker effort but does not prevent exploitation if keys are compromised), and audit all accounts with SSH access to remove unnecessary high-privilege credentials (reduces PR:H attack surface but requires careful review to avoid breaking automation scripts). Monitor SSH authentication logs for unusual access patterns or failed authentication attempts from unexpected sources.
Same technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27394
GHSA-m8qg-qjx9-mfv3