Crestron Devices Command Injection Vulnerability in SSH Console Access

A command injection vulnerability has been identified in certain Crestron touch panel models, including the TSW-570, TSW-770, TSW-1070, TS-770, TS-1070, TSS-770, and TSS-1070. This vulnerability arises from a flaw in how a hidden console command processes control characters in its second argument, allowing authenticated attackers with SSH access to execute underlying operating system commands. The issue is present in firmware version 3.003.0015.001 and affects devices running Android 10 or 12.

Impact

Exploitation of this vulnerability allows for unauthorized command execution on the device's operating system.

Reproduction

To reproduce this vulnerability, access the affected Crestron device via SSH. Once connected, send a command to the console that includes control characters in the second argument. The device will process the command and execute it at the operating system level, demonstrating the command injection flaw.

Remediation

Users can update their devices to the latest firmware version available through the Crestron Auto Update servers or via the Crestron Toolbox. For instructions on how to perform a manual update, refer to the Crestron Touch Panel Update Guide.