CVE-2019-3938
Description
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 stores usernames, passwords, and other configuration options in the file generated via the "export configuration" feature. The configuration file is encrypted using the awenc binary. The same binary can be used to decrypt any configuration file since all the encryption logic is hard coded. A local attacker can use this vulnerability to gain access to devices username and passwords.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Crestron AM-100/101 stores credentials in an encrypted configuration file that can be decrypted with a hardcoded binary, exposing usernames and passwords.
Vulnerability
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 store usernames, passwords, and other configuration options in a file generated via the "export configuration" feature. The configuration file is encrypted using the awenc binary. However, all encryption logic is hardcoded within the same binary, allowing any such file to be decrypted. This vulnerability affects the encrypted export functionality and does not require any special privileges beyond local access to the exported file.
Exploitation
A local attacker with access to an exported configuration file can decrypt it using the awenc binary. The attacker does not need authentication or network access to the device; they only need possession of the exported file. By running awenc with appropriate arguments, the attacker can recover the plaintext configuration, including stored usernames and passwords.
Impact
Successful exploitation allows the attacker to retrieve all credentials stored in the device's configuration, including administrative usernames and passwords. This can lead to unauthorized access to the Crestron device and potentially to other systems or networks that rely on those credentials. The impact is a direct compromise of confidentiality and can pave the way for further attacks.
Mitigation
As of the publication date of CVE-2019-3938, no firmware update or workaround has been released to address this vulnerability. The available references do not provide a mitigation [1]. Users are advised to restrict access to exported configuration files and consider replacing affected devices with models that do not suffer from this design flaw.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Crestron/Crestron AirMediav5Range: AM-100 firmware 1.6.0.2 and AM-101 firmware 2.7.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1- www.tenable.com/security/research/tra-2019-20mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.