CVE-2016-5640

Name of the Vulnerable Software and Affected Versions Crestron AirMedia AM-100 versions prior to 1.4.0.13

Description The issue is related to a directory traversal vulnerability in the cgi-bin/rftest.cgi file of the Crestron AirMedia AM-100 presentation server's firmware. This vulnerability can be exploited by a remote attacker to execute arbitrary commands via the ATE COMMAND parameter by using a .. (dot dot) sequence.

Recommendations For versions prior to 1.4.0.13, update the firmware to version 1.4.0.13 or later to resolve the issue. As a temporary workaround, consider restricting access to the cgi-bin/rftest.cgi file to minimize the risk of exploitation. Avoid using the ATE COMMAND parameter in the vulnerable API endpoint until the issue is resolved.