CVE-2026-7865 (GCVE-0-2026-7865)
Vulnerability from cvelistv5 – Published: 2026-05-05 15:05 – Updated: 2026-05-06 15:25
VLAI?
Title
Hidden Console Command
Summary
A hidden console command is vulnerable to command injection
flaw when control characters are passed to its second argument.
A third party researcher Eugene Lim had discovered vulnerability
in the way console command passes to a popen function call. Attackers with
authenticated access to SSH console of Crestron devices may use to run
underlying OS commands.
Severity ?
CWE
- CWE-88 - Improper neutralization of argument delimiters in a command ('argument injection')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crestron Electronics | Touchpanels (x60/x70) |
Affected:
3.002.0043.001 , ≤ 3.003.0015.001
(custom)
|
Date Public ?
2026-05-05 14:10
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7865",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-05T18:31:34.690899Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T15:25:23.058Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Touchpanels (x60/x70)",
"vendor": "Crestron Electronics",
"versions": [
{
"changes": [
{
"at": "3.003.0015.001",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.003.0015.001",
"status": "affected",
"version": "3.002.0043.001",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-05-05T14:10:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA hidden console command is vulnerable to command injection\nflaw when control characters are passed to its second argument.\u0026nbsp;\u003cbr\u003e\u003cbr\u003e\u003cspan\u003eA third party researcher Eugene Lim had discovered vulnerability\nin the way console command passes to a popen function call. Attackers with\nauthenticated access to SSH console of Crestron devices may use to run\nunderlying OS commands.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "A hidden console command is vulnerable to command injection\nflaw when control characters are passed to its second argument.\u00a0\n\nA third party researcher Eugene Lim had discovered vulnerability\nin the way console command passes to a popen function call. Attackers with\nauthenticated access to SSH console of Crestron devices may use to run\nunderlying OS commands."
}
],
"impacts": [
{
"capecId": "CAPEC-6",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-6 Argument Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88 Improper neutralization of argument delimiters in a command (\u0027argument injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T15:05:12.734Z",
"orgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"shortName": "Crestron"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.crestron.com/Software-Firmware/Firmware/Touchpanels/TS-770-TS-1070-TSS-770-TSS-1070-TSW-570/3-003-0015-001"
},
{
"tags": [
"release-notes"
],
"url": "https://www.crestron.com/release_notes/tsw-xx70_3.003.0015.001_release_notes.pdf"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Hidden Console Command",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "25b0b659-c4b4-483f-aecb-067757d23ef3",
"assignerShortName": "Crestron",
"cveId": "CVE-2026-7865",
"datePublished": "2026-05-05T15:05:12.734Z",
"dateReserved": "2026-05-05T13:36:54.938Z",
"dateUpdated": "2026-05-06T15:25:23.058Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-7865",
"date": "2026-05-09",
"epss": "0.00333",
"percentile": "0.56143"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-7865\",\"sourceIdentifier\":\"25b0b659-c4b4-483f-aecb-067757d23ef3\",\"published\":\"2026-05-05T16:16:19.730\",\"lastModified\":\"2026-05-07T14:53:48.473\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A hidden console command is vulnerable to command injection\\nflaw when control characters are passed to its second argument.\u00a0\\n\\nA third party researcher Eugene Lim had discovered vulnerability\\nin the way console command passes to a popen function call. Attackers with\\nauthenticated access to SSH console of Crestron devices may use to run\\nunderlying OS commands.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"25b0b659-c4b4-483f-aecb-067757d23ef3\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"25b0b659-c4b4-483f-aecb-067757d23ef3\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-88\"}]}],\"references\":[{\"url\":\"https://www.crestron.com/Software-Firmware/Firmware/Touchpanels/TS-770-TS-1070-TSS-770-TSS-1070-TSW-570/3-003-0015-001\",\"source\":\"25b0b659-c4b4-483f-aecb-067757d23ef3\"},{\"url\":\"https://www.crestron.com/release_notes/tsw-xx70_3.003.0015.001_release_notes.pdf\",\"source\":\"25b0b659-c4b4-483f-aecb-067757d23ef3\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-7865\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-05T18:31:34.690899Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-05T18:31:40.724Z\"}}], \"cna\": {\"title\": \"Hidden Console Command\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"impacts\": [{\"capecId\": \"CAPEC-6\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-6 Argument Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 7.4, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Crestron Electronics\", \"product\": \"Touchpanels (x60/x70)\", \"versions\": [{\"status\": \"affected\", \"changes\": [{\"at\": \"3.003.0015.001\", \"status\": \"unaffected\"}], \"version\": \"3.002.0043.001\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"3.003.0015.001\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-05-05T14:10:00.000Z\", \"references\": [{\"url\": \"https://www.crestron.com/Software-Firmware/Firmware/Touchpanels/TS-770-TS-1070-TSS-770-TSS-1070-TSW-570/3-003-0015-001\", \"tags\": [\"patch\"]}, {\"url\": \"https://www.crestron.com/release_notes/tsw-xx70_3.003.0015.001_release_notes.pdf\", \"tags\": [\"release-notes\"]}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.2\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A hidden console command is vulnerable to command injection\\nflaw when control characters are passed to its second argument.\\u00a0\\n\\nA third party researcher Eugene Lim had discovered vulnerability\\nin the way console command passes to a popen function call. Attackers with\\nauthenticated access to SSH console of Crestron devices may use to run\\nunderlying OS commands.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eA hidden console command is vulnerable to command injection\\nflaw when control characters are passed to its second argument.\u0026nbsp;\u003cbr\u003e\u003cbr\u003e\u003cspan\u003eA third party researcher Eugene Lim had discovered vulnerability\\nin the way console command passes to a popen function call. Attackers with\\nauthenticated access to SSH console of Crestron devices may use to run\\nunderlying OS commands.\u003c/span\u003e\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-88\", \"description\": \"CWE-88 Improper neutralization of argument delimiters in a command (\u0027argument injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"25b0b659-c4b4-483f-aecb-067757d23ef3\", \"shortName\": \"Crestron\", \"dateUpdated\": \"2026-05-05T15:05:12.734Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-7865\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-06T15:25:23.058Z\", \"dateReserved\": \"2026-05-05T13:36:54.938Z\", \"assignerOrgId\": \"25b0b659-c4b4-483f-aecb-067757d23ef3\", \"datePublished\": \"2026-05-05T15:05:12.734Z\", \"assignerShortName\": \"Crestron\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…