CRITICAL🇵🇱 Wersja polska

CVE-2025-47419

CVSS 10.0v4.0pub. 2025-05-06upd. 2026-04-15

Cleartext Transmission of Sensitive Information vulnerability in Crestron Automate VX allows Sniffing Network Traffic. The device allows Web UI and API access over non-secure network ports which exposes sensitive information such as user passwords. This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.

🤖 AI Analysis
How it works

The device accepts connections to the administrative Web UI interface and API through unencrypted (cleartext) network ports without enforcing encryption. An attacker located on the same network or capable of network traffic eavesdropping (sniffing) can intercept transmitted data in plain text. This way, they gain access to user credentials and other sensitive information transmitted between the client and the device.

Impact

An attacker can intercept user passwords and other sensitive data, leading to unauthorized access to the device and potentially to the entire infrastructure it manages.

Mitigation & patch

Update Crestron Automate VX software to version 6.4.1.8 or newer, available on the manufacturer's website at the address indicated in the references. Until the update is applied, it is recommended to isolate the device on the network and restrict access to the Web UI interface and API only to trusted hosts through firewall rules.

Who is affected

Crestron Automate VX in versions from 5.6.8161.21536 to 6.4.0.49 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References