CVE-2019-3934
Description
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to bypass the presentation code sending a crafted HTTP POST request to login.cgi. A remote, unauthenticated attacker can use this vulnerability to download the current slide image without knowing the access code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Crestron AM-100/AM-101 allow unauthenticated attackers to bypass the presentation code and download the current slide image via a crafted HTTP POST to login.cgi.
Vulnerability
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 contain a vulnerability in the login.cgi endpoint. By sending a crafted HTTP POST request, an unauthenticated remote attacker can bypass the presentation code check that normally restricts access to the current slide image. The affected devices are presentation systems that require a numeric access code to view or control slides; this flaw removes that requirement entirely [1].
Exploitation
An attacker needs only network access to the device; no authentication or prior knowledge of the presentation code is required. The exploit consists of sending a specially crafted HTTP POST request to the /login.cgi endpoint. The exact parameters are not publicly detailed, but the request triggers the bypass, allowing the attacker to retrieve the current slide image without supplying the correct access code [1].
Impact
Successful exploitation enables an unauthenticated attacker to download the current slide image being displayed on the presentation system. This results in unauthorized disclosure of potentially sensitive presentation content, violating the confidentiality of the presentation. The attacker does not gain administrative control or the ability to modify slides, but can view the current slide without the intended access restriction [1].
Mitigation
As of the publication date (2019-04-30), Crestron has not released a firmware update to address this vulnerability. Users should restrict network access to the device to trusted hosts only, place the device behind a firewall, and avoid exposing it to untrusted networks. If possible, disable the presentation code bypass feature or monitor for suspicious HTTP requests to login.cgi [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Crestron/Crestron AirMediav5Range: AM-100 firmware 1.6.0.2 and AM-101 firmware 2.7.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authentication check in login.cgi allows an unauthenticated POST request with BROWSER=client to retrieve the current slide image."
Attack vector
An unauthenticated, remote attacker sends a crafted HTTP POST request to `/cgi-bin/login.cgi` with the body `BROWSER=client` [ref_id=1]. No presentation code or session token is required. The response contains the current slide image, which the attacker can save to disk (e.g., `slideshow_img.jpg`). The attack is performed over the network with no prior authentication or user interaction.
Affected code
The vulnerability resides in the `/cgi-bin/login.cgi` script on Crestron AM-100 (firmware 1.6.0.2) and AM-101 (firmware 2.7.0.1) devices [ref_id=1]. The script does not enforce any authentication or presentation-code check when processing a crafted POST request.
What the fix does
The advisory does not include a patch or describe a specific fix [ref_id=1]. The recommended remediation is to implement proper authentication checks in the `/cgi-bin/login.cgi` handler so that the presentation code must be verified before serving slide images. Without a vendor-supplied patch, device owners should apply any firmware updates released by Crestron that address this issue.
Preconditions
- authNo authentication or session required
- networkAttacker must have network access to the device's HTTPS interface
- inputThe device must have an active or cached slide image available
Reproduction
Execute the following curl command against the target device (replace the IP address as needed): `curl --header "Content-Type: application/x-www-form-urlencoded" --request POST --data "BROWSER=client" --insecure "https://192.168.88.250/cgi-bin/login.cgi?lang=en&src=lol.html" > slideshow_img.jpg` [ref_id=1]. The output file will contain the current slide image.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.tenable.com/security/research/tra-2019-20mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.