Rapid7 researchers disclosed a command injection vulnerability that can be exploited to gain root-level access to the Crestron console service and allow adversaries to control commands that are being executed on the system.
Crestron Electronics is a provider of advanced control and automation solutions for the office, campus and home, ranging from home security systems, to audio and video distribution, to building and enterprise management systems. Affected devices, according to Crestron, are the DGE-100, DM-DGE-200-C, and TS-1542-C. The minimum firmware version to address this vulnerability is 1.3384.00059.001.
Read more about the Crestron flaw that can be used to gain root-level access and give attackers the ability to control commands being executed on the system on CSO.