CVE-2019-3926
Description
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to command injection via SNMP OID iso.3.6.1.4.1.3212.100.3.2.14.1. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated SNMP command injection in Crestron AM-100/AM-101 allows remote attackers to execute OS commands as root via OID iso.3.6.1.4.1.3212.100.3.2.14.1.
Vulnerability
CVE-2019-3926 is a command injection vulnerability in the SNMP implementation of the Crestron AM-100 (firmware 1.6.0.2) and AM-101 (firmware 2.7.0.2). The vulnerability lies in the handling of the SNMP OID iso.3.6.1.4.1.3212.100.3.2.14.1. When this OID is queried, the device shells out to /bin/getRemoteURL.sh without properly sanitizing user-supplied input, allowing arbitrary operating system commands to be injected [1].
Exploitation
An attacker can exploit this vulnerability by sending a crafted SNMP request to the targeted device. The attack does not require authentication and can be performed remotely over the network. The attacker must be able to reach the SNMP service (typically UDP port 161) on the device. By setting the value of the specific OID to include command injection payloads (e.g., using backticks or semicolons), the injected commands are executed in the context of the /bin/getRemoteURL.sh script [1].
Impact
Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary operating system commands with root privileges. This gives the attacker full control over the affected Crestron device, enabling actions such as modifying system configuration, exfiltrating data, installing malware, or pivoting to other internal network resources [1].
Mitigation
Crestron released firmware updates to address this vulnerability. Users should update the AM-100 to firmware version 1.6.0.3 or later, and the AM-101 to firmware version 2.7.0.3 or later. If updating is not immediately possible, restricting SNMP access to trusted hosts via firewall rules and disabling SNMP community strings if not needed can reduce the attack surface [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Crestron/Crestron AirMediav5Range: AM-100 firmware 1.6.0.2 and AM-101 firmware 2.7.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the SNMP handler for OID iso.3.6.1.4.1.3212.100.3.2.14.1 allows shell metacharacters to be passed unsanitized to /bin/getRemoteURL.sh."
Attack vector
An unauthenticated attacker on the network sends an SNMP set request to the target device targeting OID iso.3.6.1.4.1.3212.100.3.2.14.1 [ref_id=1]. The value of the SNMP set operation is crafted to include shell metacharacters. Because the device shells out to `/bin/getRemoteURL.sh` using the attacker-supplied value, the injected commands execute as root [ref_id=1]. No authentication is required because SNMP community strings default to "public" on these devices.
Affected code
The vulnerability is in the SNMP handler that processes OID iso.3.6.1.4.1.3212.100.3.2.14.1. When this OID is set, the device shells out to the script `/bin/getRemoteURL.sh` [ref_id=1]. The script passes attacker-controlled SNMP set values into an operating system shell without sanitization.
What the fix does
The advisory does not provide a patch diff or specific remediation code [ref_id=1]. The recommended fix is to restrict SNMP access to trusted management hosts only, change default SNMP community strings, and apply any vendor firmware update that properly sanitizes input before passing it to shell scripts such as `/bin/getRemoteURL.sh` [ref_id=1].
Preconditions
- networkAttacker must have network access to the device's SNMP port (UDP 161)
- configSNMP community string must be set to the default 'public' or otherwise known to the attacker
- authNo authentication required — SNMP set is processed without credentials
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.tenable.com/security/research/tra-2019-20mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.