Skip to main content

Touchpanels X60 X70

1 CVEs product

Monthly

CVE-2026-7865 HIGH PATCH This Week

Command injection in Crestron Touchpanels (X60/X70 series) allows authenticated SSH users to execute arbitrary OS commands via control characters in a hidden console command's second argument. Discovered by Eugene Lim, this popen-based injection requires high privilege SSH access and high attack complexity. CVSS 7.4 with CVSS:4.0 metrics indicates network vector (AV:N) but requires high privileges (PR:H) and high complexity (AC:H), limiting real-world exploitation to scenarios where attackers have already compromised SSH credentials. Vendor patch available (firmware 3.003.0015.001). No active exploitation or public POC identified at time of analysis.

Command Injection Touchpanels X60 X70
NVD
CVSS 4.0
7.4
EPSS
0.3%
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Command injection in Crestron Touchpanels (X60/X70 series) allows authenticated SSH users to execute arbitrary OS commands via control characters in a hidden console command's second argument. Discovered by Eugene Lim, this popen-based injection requires high privilege SSH access and high attack complexity. CVSS 7.4 with CVSS:4.0 metrics indicates network vector (AV:N) but requires high privileges (PR:H) and high complexity (AC:H), limiting real-world exploitation to scenarios where attackers have already compromised SSH credentials. Vendor patch available (firmware 3.003.0015.001). No active exploitation or public POC identified at time of analysis.

Command Injection Touchpanels X60 X70
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy