What the vulnerability does

01Description

Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to argumention injection to the curl binary via crafted HTTP requests to return.cgi. A remote, authenticated attacker can use this vulnerability to upload files to the device and ultimately execute code as root.

Key dates

02Disclosure timeline

April 30, 2019 CVE published
August 4, 2024 Record updated