Unauthorized File Execution in Crestron Touch Panels
CVE-2025-47416

5.9MEDIUM

Key Information:

Vendor: Crestron
Status: Touchscreen X70; Touchscreen X60s
Vendor: CVE Published:; 9 September 2025

What is CVE-2025-47416?

A vulnerability has been identified within the ConsoleFindCommandMatchList function present in libsymproc, which is utilized by Crestron's touch panel products. This flaw may allow an attacker to execute a file of their choosing by manipulating how commands are prioritized during enumeration. Specifically, the vulnerability arises from the alphabetical listing of console commands in the /dev/shm/symproc/c directory, where permission levels are inaccurately inferred from the integer values in command file names. Affected firmware versions include 3.002.1061 for TSW-760 and TSW-1060, as well as 3.000.0110.001 for x70 models. Notably, a fix has not been released as the product has reached its end of life.

Affected Version(s)

Touchscreen x60s 3.002.1061

TOUCHSCREEN x70 3.000.0110.001 < 3.001.0031.001

References

https://security.crestron.com

vendor-advisory

https://www.crestron.com/Software-Firmware/Firmware/Touch...

patch

CVSS V4

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 9, 2025
Vulnerability Reserved
May 6, 2025

Credit

IBM