CVE-2026-7865

Published: Mag 05, 2026 Last Modified: Mag 05, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,4

Source: 25b0b659-c4b4-483f-aecb-067757d23ef3

Attack Vector: network

Attack Complexity: high

Privileges Required: high

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

Description

AI Translation Available

A hidden console command is vulnerable to command injection
flaw when control characters are passed to its second argument.

A third party researcher Eugene Lim had discovered vulnerability
in the way console command passes to a popen function call. Attackers with
authenticated access to SSH console of Crestron devices may use to run
underlying OS commands.

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Availability Other

Potential Impacts:

Execute Unauthorized Code Or Commands Alter Execution Logic Read Application Data Modify Application Data

Applicable Platforms

Languages: Not Language-Specific, PHP

View CWE Details

https://www.crestron.com/release_notes/tsw-xx70_3.003.0015.…

https://www.crestron.com/release_notes/tsw-xx70_3.003.0015.001_release_notes.pdf

https://www.crestron.com/Software-Firmware/Firmware/Touchpa…

https://www.crestron.com/Software-Firmware/Firmware/Touchpanels/TS-770-TS-1070-…

CVE-2026-7865

Description

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Common Consequences

Applicable Platforms

Iscriviti alla newsletter