As an AV Technician I take an interest in securing AV devices that I interact with. In this process I discovered a vulnerability with the Crestron HD-MD series of "DM-LITE" devices that allows for remote code execution as well as inproper handling of plaintext credentials.
Here is the official vulnerability report that I submitted to Crestron
Discovered : 07/01/2021
Reported : 08/10/2021
Crestron Response: 10/07/2021
Publicly Disclosed : 02/15/2022
I submitted a request to MITRE for an official CVE but received no response.
Vulnerability was discovered in the summer of 2021. I contacted and reported this vulnerability to Crestron. They are aware of the issue after my reporting, but have chosen to accept this risk/vulnerability.
Version: 2.0.1.2265 Last Modified: 12/27/2018 1:28:48 PM
Red Team Pentesting appears to have also discovered the vulnerability regarding credentials being stored in cleartext and have submitted CVE-2022-23178 however this makes no mention of the RCE capabilities that these devices are vulnerable to as well.
An issue was discovered on Crestron HD-MD4X2-4K-E 1.0.0.2159 devices. When the administrative web interface of the HDMI switcher is accessed unauthenticated, user credentials are disclosed that are valid to authenticate to the web interface. Specifically, aj.html sends a JSON document with uname and upassword fields.
Base Score: 9.8 CRITICAL