CVE-2018-13341

HIGH

Crestron TSW-X60 <2.001.0037.001 & MC3 <1.502.0047.00 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-13341. PoCs published by axcheron, RajChowdhury240.

AI-analyzed exploit summary This repository contains a Python script that exploits CVE-2018-13341 to recover the password of the 'crengsuperuser' hidden account on Crestron TSW-X60 and MC3 devices. The script uses the device's MAC address to generate the password via a cryptographic algorithm involving SHA1 and RC4.

Description

Crestron TSW-X60 all versions prior to 2.001.0037.001 and MC3 all versions prior to 1.502.0047.00, The passwords for special sudo accounts may be calculated using information accessible to those with regular user privileges. Attackers could decipher these passwords, which may allow them to execute hidden API calls and escape the CTP console sandbox environment with elevated privileges.

Exploits (2)

nomisec WORKING POC 25 stars

by axcheron · poc

https://github.com/axcheron/crestron_getsudopwd

View Code ZIP pw:eip

This repository contains a Python script that exploits CVE-2018-13341 to recover the password of the 'crengsuperuser' hidden account on Crestron TSW-X60 and MC3 devices. The script uses the device's MAC address to generate the password via a cryptographic algorithm involving SHA1 and RC4.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Crestron TSW-X60 < 2.001.0037.001 and MC3 < 1.502.0047.001

No auth needed

Prerequisites: MAC address of the target device

MITRE ATT&CK

T1110 - Brute Force T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by RajChowdhury240 · poc

https://github.com/RajChowdhury240/CVE-2018-13341

View Code ZIP pw:eip

This PoC exploits CVE-2018-13341 to recover the password of the 'crengsuperuser' hidden account on Crestron devices using the target's MAC address. The password is derived via SHA1 hashing and RC4 encryption, enabling privilege escalation to root via telnet.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Crestron TSW-XX60 devices

No auth needed

Prerequisites: Target MAC address · Network access to port 41795

MITRE ATT&CK

T1110.001 - Password Guessing T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/105051

Mitigation, Third Party Advisory, US Government Resource x_refsource_misc

https://ics-cert.us-cert.gov/advisories/ICSA-18-221-01

Scores

CVSS v3 8.8

EPSS 0.0363

EPSS Percentile 88.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

Status published

Products (2)

crestron/mc3_firmware < 1.502.0047.00

crestron/tsw-x60_firmware < 2.001.0037.001

Published Aug 10, 2018

Tracked Since Feb 18, 2026