PT-2026-37084 · Crestron · Crestron Devices
Eugene Lim
·
Published
2026-05-05
·
Updated
2026-05-08
·
CVE-2026-7865
CVSS v4.0
7.4
High
| Vector | AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Crestron devices (affected versions not specified)
Description
A hidden console command contains a command injection flaw occurring when control characters are passed to its second argument. This issue exists in the way the console command is passed to the
popen() function. Authenticated attackers with SSH console access can exploit this to execute underlying operating system commands.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Argument Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Crestron Devices