CVE-2026-7865 HIGH

CVE-2026-7865: Hidden Console Command

Vendor Crestron Electronics
Product Touchpanels (x60/x70)
Weakness CWE-88
Published May 5, 2026
Last update May 6, 2026

CVSS base score

7.4/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A hidden console command is vulnerable to command injection flaw when control characters are passed to its second argument.  A third party researcher Eugene Lim had discovered vulnerability in the way console command passes to a popen function call. Attackers with authenticated access to SSH console of Crestron devices may use to run underlying OS commands.

Key dates

02Disclosure timeline

May 5, 2026 CVE published
May 6, 2026 Record updated