CVE-2025-47421
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-09-03
Last updated on: 2025-09-04
Assigner: Crestron Electronics, Inc.
Description
Description
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in CRESTRON TOUCHSCREENS x70 allows Argument Injection.This issue affects TOUCHSCREENS x70: from 3.001.0031.001 through 3.001.0034.001.
A specially crafted SCP command sent via SSH login string can lead a valid administrator user to gain Privileged Operating System access on the device.
Following Products Models are affected:
TSW-x70
TSW-x60
TST-1080
AM-3000/3100/3200
Soundbar VB70
HD-PS622/621/402
HD-TXU-RXU-4kZ-211
HD-MDNXM-4KZ-E
*Note: additional firmware updates will be published once made available
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| crestron | soundbar_vb70 | * |
| crestron | tst_1080 | * |
| crestron | hd_ps622 | * |
| crestron | hd_ps621 | * |
| crestron | hd_txu_rxu_4kz_211 | * |
| crestron | touchscreens_x70 | 3.001.0034.001 |
| crestron | am_3000 | * |
| crestron | tsw_x60 | * |
| crestron | tsw_x70 | * |
| crestron | touchscreens_x70 | 3.001.0031.001 |
| crestron | hd_ps402 | * |
| crestron | hd_mdnxm_4kz_e | * |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-88 | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
