CVE-2018-13341

moderate-risk
Published 2018-08-10

Crestron TSW-X60 all versions prior to 2.001.0037.001 and MC3 all versions prior to 1.502.0047.00, The passwords for special sudo accounts may be calculated using information accessible to those with regular user privileges. Attackers could decipher these passwords, which may allow them to execute hidden API calls and escape the CTP console sandbox environment with elevated privileges.

Do I need to act?

~
3.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (2)

Tsw-X60 Firmware
Mc3 Firmware

Affected Vendors

Crestron

References (4)

Third Party Advisory http://www.securityfocus.com/bid/105051
Mitigation https://ics-cert.us-cert.gov/advisories/ICSA-18-221-01
Third Party Advisory http://www.securityfocus.com/bid/105051
Mitigation https://ics-cert.us-cert.gov/advisories/ICSA-18-221-01
43
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 6/34 · Minimal
Exposure 7/34 · Low