CVE-2025-47415

Vulnerability

Overview

CVE-2025-47415 is a path traversal vulnerability affecting Crestron Touchscreens x70 series, specifically the TSW-760 and TSW-1060 models. The issue stems from improper limitation of a pathname to a restricted directory, enabling relative path traversal attacks. Affected firmware versions include 3.000.0110.001 and below, while the fix is provided in firmware version 3.001.0031.001 [1].

Exploitation

Details

An attacker can exploit this vulnerability by crafting requests that traverse directories outside the intended restricted path. The attack does not require authentication, as the path traversal occurs through unauthenticated network requests. The vulnerability is accessible over the network, likely through services exposed on port 7000, as referenced in related security advisories [1].

Impact

Successful exploitation allows an attacker to read arbitrary files on the device, potentially including sensitive configuration data or credentials. This could lead to further compromise of the device or the network it resides on. The severity is rated as Medium, with a CVSS score reflecting the potential for information disclosure.

Mitigation

Crestron has released firmware version 3.001.0031.001 for the x70 series to address this vulnerability. Users are urged to update their devices to this version. For the TSW-760 and TSW-1060 models, which are confirmed affected, no fix has been released as the products are discontinued; users should consider replacing these devices or implementing network-level controls to limit exposure [1].