CVE-2025-47419

Cleartext Transmission of Sensitive Information vulnerability in Crestron Automate VX allows Sniffing Network Traffic. The device allows Web UI and API access over non-secure network ports which exposes sensitive information such as user passwords. This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.

CVSS

No CVSS.

References

Link	Resource
https://security.crestron.com/
https://www.crestron.com/Software-Firmware/Software/Automate-VX-Software/6-4-1-8
https://www.crestron.com/release_notes/automate_vx_6.4.1.8_release_notes.pdf

Configurations

No configuration.

History

07 May 2025, 14:13

Type	Values Removed	Values Added
Summary		(es) La vulnerabilidad de transmisión de información confidencial en texto plano en Crestron Automate VX permite rastrear el tráfico de red. El dispositivo permite el acceso a la interfaz web y la API a través de puertos de red no seguros, lo que expone información confidencial, como las contraseñas de los usuarios. Este problema afecta a Automate VX desde la versión 5.6.8161.21536 hasta la 6.4.0.49.

06 May 2025, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-06 21:16

Updated : 2025-05-07 14:13

NVD link : CVE-2025-47419

Mitre link : CVE-2025-47419

CVE.ORG link : CVE-2025-47419

JSON object : View

Products Affected

No product.

CWE

CWE-319

Cleartext Transmission of Sensitive Information

{"id": "CVE-2025-47419", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "25b0b659-c4b4-483f-aecb-067757d23ef3", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 10.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-06T21:16:20.867", "references": [{"url": "https://security.crestron.com/", "source": "25b0b659-c4b4-483f-aecb-067757d23ef3"}, {"url": "https://www.crestron.com/Software-Firmware/Software/Automate-VX-Software/6-4-1-8", "source": "25b0b659-c4b4-483f-aecb-067757d23ef3"}, {"url": "https://www.crestron.com/release_notes/automate_vx_6.4.1.8_release_notes.pdf", "source": "25b0b659-c4b4-483f-aecb-067757d23ef3"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "25b0b659-c4b4-483f-aecb-067757d23ef3", "description": [{"lang": "en", "value": "CWE-319"}]}], "descriptions": [{"lang": "en", "value": "Cleartext Transmission of Sensitive Information vulnerability in Crestron Automate VX allows Sniffing Network Traffic.\n\nThe device allows Web UI and API access over non-secure network ports which exposes sensitive information such as user passwords.\n\n\nThis issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49."}, {"lang": "es", "value": "La vulnerabilidad de transmisi\u00f3n de informaci\u00f3n confidencial en texto plano en Crestron Automate VX permite rastrear el tr\u00e1fico de red. El dispositivo permite el acceso a la interfaz web y la API a trav\u00e9s de puertos de red no seguros, lo que expone informaci\u00f3n confidencial, como las contrase\u00f1as de los usuarios. Este problema afecta a Automate VX desde la versi\u00f3n 5.6.8161.21536 hasta la 6.4.0.49."}], "lastModified": "2025-05-07T14:13:20.483", "sourceIdentifier": "25b0b659-c4b4-483f-aecb-067757d23ef3"}