CVE-2016-5639

high-risk

Published 2016-08-03

Directory traversal vulnerability in cgi-bin/login.cgi on Crestron AirMedia AM-100 devices with firmware before 1.4.0.13 allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter.

Do I need to act?

47.8% chance of exploitation in next 30 days

EPSS score — higher than 52% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

40813

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (1)

Airmedia Am-100 Firmware

Affected Vendors

Crestron

References (8)

Third Party Advisory http://www.kb.cert.org/vuls/id/603047

Third Party Advisory http://www.securityfocus.com/bid/92216

Third Party Advisory https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2016-05-001....

https://www.exploit-db.com/exploits/40813/

Third Party Advisory http://www.kb.cert.org/vuls/id/603047

Third Party Advisory http://www.securityfocus.com/bid/92216

Third Party Advisory https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2016-05-001....

https://www.exploit-db.com/exploits/40813/

/ 100

high-risk

Severity 26/34 · High

Exploitability 24/34 · High

Exposure 5/34 · Minimal