VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 30, 2019· Updated Aug 4, 2024

CVE-2019-3937

CVE-2019-3937

Description

Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 stores usernames, passwords, slideshow passcode, and other configuration options in cleartext in the file /tmp/scfgdndf. A local attacker can use this vulnerability to recover sensitive data.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Crestron AM-100/101 store credentials and sensitive config in cleartext in /tmp/scfgdndf, allowing local attackers to recover data.

Vulnerability

Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 store usernames, passwords, slideshow passcodes, and other configuration options in cleartext in the file /tmp/scfgdndf. This file is accessible to any local user on the device.

Exploitation

A local attacker with access to the device (e.g., via a shell obtained through another vulnerability or physical console) can read the /tmp/scfgdndf file. No authentication or special privilege is required beyond local access.

Impact

An attacker can recover sensitive credentials and configuration data, including administrative passwords and slideshow passcodes. Successful exploitation could lead to unauthorized access to the web management interface or the ability to change presentation settings.

Mitigation

Crestron has not released a public patch as of the publication date of this advisory. Users should restrict physical and network access to devices and consider replacing them with later models that are not affected. The vulnerability was disclosed in Tenable Research advisory TRA-2019-20 [1].

References
  1. OEM Presentation Platform Vulnerabilities

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Crestron/AM-100llm-fuzzy
    Range: =1.6.0.2
  • Crestron/Crestron AirMediav5
    Range: AM-100 firmware 1.6.0.2 and AM-101 firmware 2.7.0.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.