CVE-2020-16839
HIGHCrestron DM-NVX-DIR Firmware - Unauthenticated Password Change via WebSocket Request
Title source: llmDescription
On Crestron DM-NVX-DIR, DM-NVX-DIR80, and DM-NVX-ENT devices before the DM-XIO/1-0-3-802 patch, the password can be changed by sending an unauthenticated WebSocket request.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_misc
https://support.crestron.com
Permissions Required x_refsource_confirm
https://www.crestron.com/Software-Firmware/Firmware/DigitalMedia/DM-XIO/1-0-3-802
Broken Link x_refsource_confirm
https://www.security.crestron.com
Vendor Advisory
https://www.crestron.com/Security/Security-at-Crestron
Scores
CVSS v3
7.5
EPSS
0.0118
EPSS Percentile
63.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-287
Status
published
Products (3)
crestron/dm-nvx-dir-160_firmware
1.0.1.788
crestron/dm-nvx-dir-80_firmware
1.0.1.788
crestron/dm-nvx-dir-ent_firmware
1.0.1.788
Published
Jul 30, 2021
Tracked Since
Feb 18, 2026