CVE-2023-6926 HIGH

CVE-2023-6926: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Crestron AM-300

Vendor Crestron

Product AM-300

Weakness CWE-78

Published January 23, 2024

Last update November 13, 2024

View on NVD All CVEs

CVSS base score

8.4/10

Attack vector Local

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

There is an OS command injection vulnerability in Crestron AM-300 firmware version 1.4499.00018 which may enable a user of a limited-access SSH session to escalate their privileges to root-level access.

Key dates

02Disclosure timeline

January 23, 2024 CVE published

November 13, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-6926

Related vulnerabilities

04Related CVE

CVE-2021-32512 QSAN Storage Manager - Command Injection Following via QuickInstall function CVE-2026-10727 CVE-2025-30289 ColdFusion | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78) CVE-2025-10622 Foreman: os command injection via ct_location and fcct_location parameters CVE-2024-9463 Expedition: Unauthenticated OS Command Injection Vulnerability Leads to Firewall Credential Disclosure