CVE-2019-3925
Description
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to command injection via SNMP OID iso.3.6.1.4.1.3212.100.3.2.9.3. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote, unauthenticated attacker can execute arbitrary OS commands as root on Crestron AM-100 and AM-101 via SNMP command injection.
Vulnerability
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to command injection via SNMP OID iso.3.6.1.4.1.3212.100.3.2.9.3. The vulnerability occurs when the device processes SNMP requests for this OID, which shells out to /bin/ftpfw.sh, allowing injection of operating system commands. No authentication is required to trigger the issue [1].
Exploitation
An unauthenticated attacker with network access to the device can send a crafted SNMP set request to the vulnerable OID. The injected commands are executed by the target with root privileges. The exploit does not require any user interaction or special privileges beyond network connectivity to the SNMP service.
Impact
Successful exploitation allows an attacker to execute arbitrary operating system commands as root, leading to full compromise of the device. This can result in information disclosure, modification of system configuration, or use of the device as a pivot point for further attacks.
Mitigation
Crestron released firmware updates (AM-100 firmware 1.6.0.3 and AM-101 firmware 2.7.0.3) in April 2019 to address this vulnerability [1]. Users should update to the latest firmware. If updating is not immediately possible, restricting SNMP access to trusted hosts and disabling SNMP if not required can reduce risk.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Crestron/Crestron AirMediav5Range: AM-100 firmware 1.6.0.2 and AM-101 firmware 2.7.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the SNMP handler for OID iso.3.6.1.4.1.3212.100.3.2.9.3 allows command injection when the value is passed to /bin/ftpfw.sh."
Attack vector
An unauthenticated attacker on the network sends an SNMP set request to the target device targeting OID iso.3.6.1.4.1.3212.100.3.2.9.3 [ref_id=1]. The value supplied in the SNMP set operation is passed unsanitized into a shell command executed via /bin/ftpfw.sh, allowing the attacker to inject arbitrary operating system commands [ref_id=1]. No authentication is required because SNMP community strings are often left at defaults or are not enforced for this OID.
Affected code
The vulnerability resides in the SNMP handler that processes the OID iso.3.6.1.4.1.3212.100.3.2.9.3. When this OID is set, the device shells out to /bin/ftpfw.sh, and user-controlled SNMP set values are injected into the shell command without sanitization [ref_id=1].
What the fix does
The advisory does not include a patch diff or specific remediation code [ref_id=1]. The recommended fix is to sanitize or validate all input received via SNMP set operations before passing it to shell commands, and to avoid shelling out to external scripts with user-controlled data. Users should also restrict SNMP access to trusted management hosts and change default community strings.
Preconditions
- networkAttacker must have network access to the device's SNMP port (UDP 161)
- configSNMP community string must be known or default (e.g. 'public')
- authNo authentication required beyond SNMP community string
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.tenable.com/security/research/tra-2019-20mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.