Skip to main content

Crestron Touchpanels EUVDEUVD-2026-27394

| CVE-2026-7865 HIGH
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
2026-05-05 Crestron GHSA-m8qg-qjx9-mfv3
7.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 05, 2026 - 16:31 vuln.today
CVSS changed
May 05, 2026 - 16:22 NVD
7.4 (HIGH)

DescriptionCVE.org

A hidden console command is vulnerable to command injection flaw when control characters are passed to its second argument.

A third party researcher Eugene Lim had discovered vulnerability in the way console command passes to a popen function call. Attackers with authenticated access to SSH console of Crestron devices may use to run underlying OS commands.

AnalysisAI

Command injection in Crestron Touchpanels (X60/X70 series) allows authenticated SSH users to execute arbitrary OS commands via control characters in a hidden console command's second argument. Discovered by Eugene Lim, this popen-based injection requires high privilege SSH access and high attack complexity. CVSS 7.4 with CVSS:4.0 metrics indicates network vector (AV:N) but requires high privileges (PR:H) and high complexity (AC:H), limiting real-world exploitation to scenarios where attackers have already compromised SSH credentials. Vendor patch available (firmware 3.003.0015.001). No active exploitation or public POC identified at time of analysis.

Technical ContextAI

This vulnerability affects Crestron touchpanel products (TS-770, TS-1070, TSS-770, TSS-1070, TSW-570 series) through an improper neutralization of special elements in OS command (CWE-88). The flaw exists in a hidden console command that passes user-supplied input containing control characters directly to a popen() system call without sanitization. The popen() function creates a shell process and executes commands, making it a common attack surface for command injection when input validation is insufficient. Control characters (ASCII 0x00-0x1F) can manipulate shell interpretation, allowing command chaining, subshell execution, or argument injection. The CPE string identifies Crestron Electronics touchpanel products with hardware designations X60/X70, which are typically deployed as building automation controllers in commercial/industrial environments with network-connected management interfaces.

RemediationAI

Apply vendor-released firmware update 3.003.0015.001 available from https://www.crestron.com/Software-Firmware/Firmware/Touchpanels/TS-770-TS-1070-TSS-770-TSS-1070-TSW-570/3-003-0015-001. Review release notes at https://www.crestron.com/release_notes/tsw-xx70_3.003.0015.001_release_notes.pdf before deployment to identify any breaking changes or compatibility requirements. If immediate patching is not feasible, implement compensating controls: restrict SSH access to the touchpanel management interface to specific trusted IP ranges via firewall rules (blocks network vector but may impact remote management workflows), disable SSH service entirely if console access can be performed through physical serial connections (eliminates attack vector but requires on-site technician access for troubleshooting), implement SSH key-based authentication with certificate authorities and disable password authentication (raises attacker effort but does not prevent exploitation if keys are compromised), and audit all accounts with SSH access to remove unnecessary high-privilege credentials (reduces PR:H attack surface but requires careful review to avoid breaking automation scripts). Monitor SSH authentication logs for unusual access patterns or failed authentication attempts from unexpected sources.

Share

EUVD-2026-27394 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy