Cleartext Transmission of Sensitive Information vulnerability in Crestron Automate VX allows Sniffing Network Traffic. The device allows Web UI and API access over non-secure network ports which exposes sensitive information such as user passwords. This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.
The device accepts connections to the administrative Web UI interface and API through unencrypted (cleartext) network ports without enforcing encryption. An attacker located on the same network or capable of network traffic eavesdropping (sniffing) can intercept transmitted data in plain text. This way, they gain access to user credentials and other sensitive information transmitted between the client and the device.
An attacker can intercept user passwords and other sensitive data, leading to unauthorized access to the device and potentially to the entire infrastructure it manages.
Update Crestron Automate VX software to version 6.4.1.8 or newer, available on the manufacturer's website at the address indicated in the references. Until the update is applied, it is recommended to isolate the device on the network and restrict access to the Web UI interface and API only to trusted hosts through firewall rules.
Crestron Automate VX in versions from 5.6.8161.21536 to 6.4.0.49 inclusive.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X