CVE-2019-3932
Description
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to authentication bypass due to a hard-coded password in return.tgi. A remote, unauthenticated attacker can use this vulnerability to control external devices via the uart_bridge.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Crestron AM-100/AM-101 firmware contains a hard-coded password in return.tgi, allowing unauthenticated remote attackers to bypass authentication and control external devices via uart_bridge.
Vulnerability
Crestron AM-100 firmware 1.6.0.2 and AM-101 firmware 2.7.0.2 contain a hard-coded password in the return.tgi CGI script. This allows an unauthenticated remote attacker to bypass authentication controls without any required prior configuration or access [1].
Exploitation
An unauthenticated attacker can send crafted HTTP requests to the affected device over the network. By leveraging the hard-coded credential embedded in return.tgi, the attacker can bypass the authentication mechanism and directly interact with the UART bridge functionality without needing any user interaction or privileged access [1].
Impact
Successful exploitation enables the attacker to control external devices connected via the UART bridge, potentially leading to unauthorized manipulation of connected equipment such as displays or projectors. This can result in disclosure of sensitive information, disruption of service, or physical damage depending on the attached hardware. The attacker gains the same level of control as an authenticated administrator over the UART bridge feature [1].
Mitigation
Crestron has not released a firmware fix as of the publication date. Affected versions (AM-100 firmware 1.6.0.2, AM-101 firmware 2.7.0.2) remain vulnerable. Users are advised to restrict network access to the device, place it behind a firewall, and monitor for unauthorized access attempts. The device is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Crestron/Crestron AirMediav5Range: AM-100 firmware 1.6.0.2 and AM-101 firmware 2.7.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Hard-coded session ID in return.tgi allows authentication bypass."
Attack vector
A remote, unauthenticated attacker sends a crafted POST request to the /tgi/return.tgi endpoint with the hard-coded sessionID "trLVy9Gh82KDHoy" [ref_id=1]. The request includes a "command=session" parameter along with the sessionID and additional data to control external devices via the uart_bridge [ref_id=1]. No authentication is required because the script accepts this hard-coded value as valid, allowing the attacker to send arbitrary commands to connected serial/UART devices.
Affected code
The vulnerable script is /home/boa/tgi/return.tgi on Crestron AM-100 firmware 1.6.0.2 and AM-101 firmware 2.7.0.2 [ref_id=1]. This script accepts a hard-coded sessionID "trLVy9Gh82KDHoy" to bypass authentication and controls external devices via the uart_bridge [ref_id=1].
What the fix does
The advisory does not include a patch diff or specific remediation details [ref_id=1]. The recommended fix is to remove the hard-coded session ID from return.tgi and implement proper session-based authentication that generates unique, unpredictable session tokens per user. Without a patch, the device remains vulnerable to unauthenticated control of external devices via the uart_bridge.
Preconditions
- networkAttacker must have network access to the device's web interface (typically on TCP port 80 or 443).
- inputNo authentication credentials required; the hard-coded sessionID is accepted without validation.
Reproduction
curl --header "Content-Type: application/x-www-form-urlencoded" --request POST --data "command=session&trLVy9Gh82KDHoy9&beef100500 2222010005" --insecure https://192.168.88.250/tgi/return.tgi
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.tenable.com/security/research/tra-2019-20mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.