CVE-2025-47418 - Vulnerability Details - OpenCVE

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse. There is no visible indication when the system is recording and recording can be enabled remotely via a network API. This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://security.crestron.com/
https://www.crestron.com/Software-Firmware/Software/Automate-VX-Software/6-4-1-8
https://www.crestron.com/release_notes/automate_vx_6.4.1.8_release_notes.pdf

History

Wed, 07 May 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 06 May 2025 20:30:00 +0000

Type	Values Removed	Values Added
Description		Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse. There is no visible indication when the system is recording and recording can be enabled remotely via a network API. This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.
Title		Recording
Weaknesses		CWE-200
References		https://security.crestron.com/ https://www.crestron.com/Software-Firmware/Software/Automate-VX-Software/6-4-1-8 https://www.crestron.com/release_notes/automate_vx_6.4.1.8_release_notes.pdf
Metrics		cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: Crestron

Published: 2025-05-06T20:13:38.805Z

Updated: 2025-05-07T14:04:11.178Z

Reserved: 2025-05-06T19:36:18.441Z

Link: CVE-2025-47418

Vulnrichment

Updated: 2025-05-07T13:46:15.860Z

NVD

Status : Awaiting Analysis

Published: 2025-05-06T21:16:20.737

Modified: 2025-05-07T14:13:20.483

Link: CVE-2025-47418

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-47418", "assignerOrgId": "25b0b659-c4b4-483f-aecb-067757d23ef3", "state": "PUBLISHED", "assignerShortName": "Crestron", "dateReserved": "2025-05-06T19:36:18.441Z", "datePublished": "2025-05-06T20:13:38.805Z", "dateUpdated": "2025-05-07T14:04:11.178Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Automate VX", "vendor": "Crestron", "versions": [{"changes": [{"at": "6.4.1.8", "status": "unaffected"}], "lessThanOrEqual": "6.4.0.49", "status": "affected", "version": "5.6.8161.21536", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Crestron Electronics Inc"}], "datePublic": "2025-04-23T20:04:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse.<br><br>There is no visible indication when the system is recording and recording can be enabled remotely via a network API. <br><p>This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.</p>"}], "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse.\n\nThere is no visible indication when the system is recording and recording can be enabled remotely via a network API. \nThis issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49."}], "impacts": [{"capecId": "CAPEC-212", "descriptions": [{"lang": "en", "value": "CAPEC-212 Functionality Misuse"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "25b0b659-c4b4-483f-aecb-067757d23ef3", "shortName": "Crestron", "dateUpdated": "2025-05-06T20:20:24.812Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://security.crestron.com/"}, {"url": "https://www.crestron.com/Software-Firmware/Software/Automate-VX-Software/6-4-1-8"}, {"tags": ["release-notes"], "url": "https://www.crestron.com/release_notes/automate_vx_6.4.1.8_release_notes.pdf"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Crestron recommends updating to firmware version 6.4.1.8 or higher. The firmware version will </span><span style=\"background-color: rgb(255, 255, 255);\">adds </span><span style=\"background-color: rgb(255, 255, 255);\">a</span><span style=\"background-color: rgb(255, 255, 255);\"> visual</span> <span style=\"background-color: rgb(255, 255, 255);\">indication</span> <span style=\"background-color: rgb(255, 255, 255);\">on </span><span style=\"background-color: rgb(255, 255, 255);\">the program </span><span style=\"background-color: rgb(255, 255, 255);\">video output </span><span style=\"background-color: rgb(255, 255, 255);\">when recording is </span><span style=\"background-color: rgb(255, 255, 255);\">started</span><span style=\"background-color: rgb(255, 255, 255);\">.</span><span style=\"background-color: rgb(255, 255, 255);\">  </span><br>"}], "value": "Crestron recommends updating to firmware version 6.4.1.8 or higher. The firmware version will\u00a0adds a visual indication on the program video output when recording is started."}], "source": {"discovery": "INTERNAL"}, "title": "Recording", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Inform users in the room that they may be recorded. Also, configure the network to only allow needed systems and/or devices to access the API.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n<br>"}], "value": "Inform users in the room that they may be recorded. Also, configure the network to only allow needed systems and/or devices to access the API."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-07T13:46:13.710646Z", "id": "CVE-2025-47418", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-07T14:04:11.178Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-47418", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-07T13:46:13.710646Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-07T13:46:15.860Z"}}], "cna": {"title": "Recording", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Crestron Electronics Inc"}], "impacts": [{"capecId": "CAPEC-212", "descriptions": [{"lang": "en", "value": "CAPEC-212 Functionality Misuse"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Crestron", "product": "Automate VX", "versions": [{"status": "affected", "changes": [{"at": "6.4.1.8", "status": "unaffected"}], "version": "5.6.8161.21536", "versionType": "custom", "lessThanOrEqual": "6.4.0.49"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Crestron recommends updating to firmware version 6.4.1.8 or higher. The firmware version will\u00a0adds a visual indication on the program video output when recording is started.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Crestron recommends updating to firmware version 6.4.1.8 or higher. The firmware version will </span><span style=\"background-color: rgb(255, 255, 255);\">adds </span><span style=\"background-color: rgb(255, 255, 255);\">a</span><span style=\"background-color: rgb(255, 255, 255);\"> visual</span> <span style=\"background-color: rgb(255, 255, 255);\">indication</span> <span style=\"background-color: rgb(255, 255, 255);\">on </span><span style=\"background-color: rgb(255, 255, 255);\">the program </span><span style=\"background-color: rgb(255, 255, 255);\">video output </span><span style=\"background-color: rgb(255, 255, 255);\">when recording is </span><span style=\"background-color: rgb(255, 255, 255);\">started</span><span style=\"background-color: rgb(255, 255, 255);\">.</span><span style=\"background-color: rgb(255, 255, 255);\">  </span><br>", "base64": false}]}], "datePublic": "2025-04-23T20:04:00.000Z", "references": [{"url": "https://security.crestron.com/", "tags": ["vendor-advisory"]}, {"url": "https://www.crestron.com/Software-Firmware/Software/Automate-VX-Software/6-4-1-8"}, {"url": "https://www.crestron.com/release_notes/automate_vx_6.4.1.8_release_notes.pdf", "tags": ["release-notes"]}], "workarounds": [{"lang": "en", "value": "Inform users in the room that they may be recorded. Also, configure the network to only allow needed systems and/or devices to access the API.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Inform users in the room that they may be recorded. Also, configure the network to only allow needed systems and/or devices to access the API.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n<br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse.\n\nThere is no visible indication when the system is recording and recording can be enabled remotely via a network API. \nThis issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.", "supportingMedia": [{"type": "text/html", "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse.<br><br>There is no visible indication when the system is recording and recording can be enabled remotely via a network API. <br><p>This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "25b0b659-c4b4-483f-aecb-067757d23ef3", "shortName": "Crestron", "dateUpdated": "2025-05-06T20:20:24.812Z"}}}, "cveMetadata": {"cveId": "CVE-2025-47418", "state": "PUBLISHED", "dateUpdated": "2025-05-07T14:04:11.178Z", "dateReserved": "2025-05-06T19:36:18.441Z", "assignerOrgId": "25b0b659-c4b4-483f-aecb-067757d23ef3", "datePublished": "2025-05-06T20:13:38.805Z", "assignerShortName": "Crestron"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse.\n\nThere is no visible indication when the system is recording and recording can be enabled remotely via a network API. \nThis issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49."}, {"lang": "es", "value": "La vulnerabilidad de exposici\u00f3n de informaci\u00f3n confidencial a un agente no autorizado en Crestron Automate VX permite el uso indebido de la funcionalidad. No hay ninguna indicaci\u00f3n visible cuando el sistema est\u00e1 grabando, y la grabaci\u00f3n se puede habilitar remotamente mediante una API de red. Este problema afecta a Automate VX desde la versi\u00f3n 5.6.8161.21536 hasta la 6.4.0.49."}], "id": "CVE-2025-47418", "lastModified": "2025-05-07T14:13:20.483", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "25b0b659-c4b4-483f-aecb-067757d23ef3", "type": "Secondary"}]}, "published": "2025-05-06T21:16:20.737", "references": [{"source": "25b0b659-c4b4-483f-aecb-067757d23ef3", "url": "https://security.crestron.com/"}, {"source": "25b0b659-c4b4-483f-aecb-067757d23ef3", "url": "https://www.crestron.com/Software-Firmware/Software/Automate-VX-Software/6-4-1-8"}, {"source": "25b0b659-c4b4-483f-aecb-067757d23ef3", "url": "https://www.crestron.com/release_notes/automate_vx_6.4.1.8_release_notes.pdf"}], "sourceIdentifier": "25b0b659-c4b4-483f-aecb-067757d23ef3", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "25b0b659-c4b4-483f-aecb-067757d23ef3", "type": "Secondary"}]}