CVE-2019-3933
Description
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to bypass the presentation code simply by requesting /images/browserslide.jpg via HTTP. A remote, unauthenticated attacker can use this vulnerability to watch a slideshow without knowing the access code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Crestron AM-100/AM-101 slideshow can be viewed without the access code by requesting /images/browserslide.jpg over HTTP.
Vulnerability
The Crestron AM-100 (firmware 1.6.0.2) and AM-101 (firmware 2.7.0.2) contain a vulnerability that allows unauthorized access to the slideshow feature. The device does not enforce the presentation access code when accessing the resource /images/browserslide.jpg via HTTP [1]. This file contains the slideshow content that is normally protected by a code entered on the presenter's interface.
Exploitation
A remote, unauthenticated attacker can exploit this by simply sending an HTTP GET request to http://<device_ip>/images/browserslide.jpg [1]. No authentication, prior knowledge, or user interaction is required. The attacker can repeat the request to view the slideshow at any time.
Impact
An attacker who successfully exploits this vulnerability can view the entire slideshow content without the intended access code [1]. This bypasses the presentation code security mechanism, potentially exposing confidential information displayed in the presentation to unauthorized viewers.
Mitigation
Crestron has not released fixed firmware for the AM-100 or AM-101 at the time of publication [1]. Administrators should restrict network access to the device, especially the HTTP service, and monitor for unauthorized access attempts. The device may be affected by additional vulnerabilities disclosed in the same research [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Crestron/Crestron AirMediav5Range: AM-100 firmware 1.6.0.2 and AM-101 firmware 2.7.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authentication check on the /images/browserslide.jpg endpoint allows unauthenticated access to slideshow content."
Attack vector
An unauthenticated, remote attacker simply requests /images/browserslide.jpg via HTTP from the affected Crestron AM-100 or AM-101 device [ref_id=1]. No session, login, or presentation code is required. The server serves the final slide image without any access control check, bypassing the intended remote view login [ref_id=1]. Additionally, the last image from a screenshare remains cached at that URL even after the presentation ends [ref_id=1].
Affected code
The advisory identifies the endpoint /images/browserslide.jpg as the vulnerable resource on Crestron AM-100 firmware 1.6.0.2 and AM-101 firmware 2.7.0.1 [ref_id=1]. No specific source file or function is named in the advisory.
What the fix does
The advisory does not provide a patch diff or specific remediation code [ref_id=1]. The vendor should implement authentication enforcement on the /images/browserslide.jpg endpoint so that the image is only served after the user has supplied a valid presentation code. Clearing the cached slide image after a presentation ends would also prevent post-presentation access [ref_id=1].
Preconditions
- networkAttacker must have network access to the Crestron AM-100 or AM-101 device on port 80/443.
- inputNo authentication or presentation code is required; the attacker simply requests a static URL path.
Reproduction
Navigate to http://[target IP]/images/browserslide.jpg in a web browser or use curl: `curl http://[target IP]/images/browserslide.jpg`. If a presentation has occurred since the last reboot, the final slide image is returned without any authentication [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.tenable.com/security/research/tra-2019-20mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.