CVE-2025-47421

Summary

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in CRESTRON TOUCHSCREENS x70 allows Argument Injection.This issue affects TOUCHSCREENS x70: from 3.001.0031.001 through 3.001.0034.001.

A specially crafted SCP command sent via SSH login string can lead a valid administrator user to gain Privileged Operating System access on the device.

Following Products Models are affected:

TSW-x70 TSW-x60 TST-1080 AM-3000/3100/3200 Soundbar VB70 HD-PS622/621/402 HD-TXU-RXU-4kZ-211 HD-MDNXM-4KZ-E

*Note: additional firmware updates will be published once made available

Affected Software

VendorProductVersion RangeStatus
CRESTRONTOUCHSCREENS x703.001.0031.001 < 3.001.0034.001affected

Weaknesses

  • CWE-88: CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References