CVE-2025-47420 - Vulnerability Details - OpenCVE

266 vulnerability in Crestron Automate VX allows Privilege Escalation.This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

No data.

No data.

No data.

References

Link	Providers
https://security.crestron.com/
https://www.crestron.com/Software-Firmware/Software/Automate-VX-Software/6-4-1-8
https://www.crestron.com/release_notes/automate_vx_6.4.1.8_release_notes.pdf

History

Wed, 07 May 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 06 May 2025 21:45:00 +0000

Type	Values Removed	Values Added
Description		266 vulnerability in Crestron Automate VX allows Privilege Escalation.This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.
Title		User Permissions on Network API
Weaknesses		CWE-269
References		https://security.crestron.com/ https://www.crestron.com/Software-Firmware/Software/Automate-VX-Software/6-4-1-8 https://www.crestron.com/release_notes/automate_vx_6.4.1.8_release_notes.pdf
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: Crestron

Published: 2025-05-06T21:33:39.188Z

Updated: 2025-05-07T14:03:50.793Z

Reserved: 2025-05-06T19:36:18.441Z

Link: CVE-2025-47420

Vulnrichment

Updated: 2025-05-07T13:46:25.389Z

NVD

Status : Awaiting Analysis

Published: 2025-05-06T22:15:17.180

Modified: 2025-05-07T14:13:20.483

Link: CVE-2025-47420

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-47420", "assignerOrgId": "25b0b659-c4b4-483f-aecb-067757d23ef3", "state": "PUBLISHED", "assignerShortName": "Crestron", "dateReserved": "2025-05-06T19:36:18.441Z", "datePublished": "2025-05-06T21:33:39.188Z", "dateUpdated": "2025-05-07T14:03:50.793Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Automate VX", "vendor": "Crestron", "versions": [{"changes": [{"at": "6.4.1.8", "status": "unaffected"}], "lessThanOrEqual": "6.4.0.49", "status": "affected", "version": "5.6.8161.21536", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Crestron Electronics Inc"}], "datePublic": "2025-04-23T21:15:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "266 vulnerability in Crestron Automate VX allows Privilege Escalation.<p>This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.</p>"}], "value": "266 vulnerability in Crestron Automate VX allows Privilege Escalation.This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "25b0b659-c4b4-483f-aecb-067757d23ef3", "shortName": "Crestron", "dateUpdated": "2025-05-06T21:33:39.188Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://security.crestron.com/"}, {"tags": ["patch"], "url": "https://www.crestron.com/Software-Firmware/Software/Automate-VX-Software/6-4-1-8"}, {"tags": ["release-notes"], "url": "https://www.crestron.com/release_notes/automate_vx_6.4.1.8_release_notes.pdf"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Crestron recommends updating to firmware version 6.4.1.8 or higher. The firmware version will applies user permissions to API requests. <br>"}], "value": "Crestron recommends updating to firmware version 6.4.1.8 or higher. The firmware version will applies user permissions to API requests."}], "source": {"discovery": "INTERNAL"}, "title": "User Permissions on Network API", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Limit all API usage to users with full permissions.\n\n<br>"}], "value": "Limit all API usage to users with full permissions."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-07T13:46:20.078463Z", "id": "CVE-2025-47420", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-07T14:03:50.793Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-47420", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-07T13:46:20.078463Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-07T13:46:25.389Z"}}], "cna": {"title": "User Permissions on Network API", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Crestron Electronics Inc"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Crestron", "product": "Automate VX", "versions": [{"status": "affected", "changes": [{"at": "6.4.1.8", "status": "unaffected"}], "version": "5.6.8161.21536", "versionType": "custom", "lessThanOrEqual": "6.4.0.49"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Crestron recommends updating to firmware version 6.4.1.8 or higher. The firmware version will applies user permissions to API requests.", "supportingMedia": [{"type": "text/html", "value": "Crestron recommends updating to firmware version 6.4.1.8 or higher. The firmware version will applies user permissions to API requests. <br>", "base64": false}]}], "datePublic": "2025-04-23T21:15:00.000Z", "references": [{"url": "https://security.crestron.com/", "tags": ["vendor-advisory"]}, {"url": "https://www.crestron.com/Software-Firmware/Software/Automate-VX-Software/6-4-1-8", "tags": ["patch"]}, {"url": "https://www.crestron.com/release_notes/automate_vx_6.4.1.8_release_notes.pdf", "tags": ["release-notes"]}], "workarounds": [{"lang": "en", "value": "Limit all API usage to users with full permissions.", "supportingMedia": [{"type": "text/html", "value": "Limit all API usage to users with full permissions.\n\n<br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "266 vulnerability in Crestron Automate VX allows Privilege Escalation.This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.", "supportingMedia": [{"type": "text/html", "value": "266 vulnerability in Crestron Automate VX allows Privilege Escalation.<p>This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "25b0b659-c4b4-483f-aecb-067757d23ef3", "shortName": "Crestron", "dateUpdated": "2025-05-06T21:33:39.188Z"}}}, "cveMetadata": {"cveId": "CVE-2025-47420", "state": "PUBLISHED", "dateUpdated": "2025-05-07T14:03:50.793Z", "dateReserved": "2025-05-06T19:36:18.441Z", "assignerOrgId": "25b0b659-c4b4-483f-aecb-067757d23ef3", "datePublished": "2025-05-06T21:33:39.188Z", "assignerShortName": "Crestron"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "266 vulnerability in Crestron Automate VX allows Privilege Escalation.This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49."}, {"lang": "es", "value": "La vulnerabilidad 266 en Crestron Automate VX permite la escalada de privilegios. Este problema afecta a Automate VX: desde 5.6.8161.21536 hasta 6.4.0.49."}], "id": "CVE-2025-47420", "lastModified": "2025-05-07T14:13:20.483", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "25b0b659-c4b4-483f-aecb-067757d23ef3", "type": "Secondary"}]}, "published": "2025-05-06T22:15:17.180", "references": [{"source": "25b0b659-c4b4-483f-aecb-067757d23ef3", "url": "https://security.crestron.com/"}, {"source": "25b0b659-c4b4-483f-aecb-067757d23ef3", "url": "https://www.crestron.com/Software-Firmware/Software/Automate-VX-Software/6-4-1-8"}, {"source": "25b0b659-c4b4-483f-aecb-067757d23ef3", "url": "https://www.crestron.com/release_notes/automate_vx_6.4.1.8_release_notes.pdf"}], "sourceIdentifier": "25b0b659-c4b4-483f-aecb-067757d23ef3", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "25b0b659-c4b4-483f-aecb-067757d23ef3", "type": "Secondary"}]}