CVE-2022-23178
CRITICAL EXPLOITED NUCLEICrestron HD-MD4X2-4K-E Firmware 1.0.0.2159 - Unauthenticated Credential Disclosure via aj.html
Title source: llmExploitation Summary
CVE-2022-23178 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including RedTeam Pentesting GmbH. A Nuclei detection template is also available.
AI-analyzed exploit summary This advisory describes an information disclosure vulnerability in Crestron HD-MD4X2-4K-E devices (version 1.0.0.2159) where unauthenticated access to a specific endpoint reveals admin credentials in plaintext. The exploit involves a simple HTTP request to retrieve the credentials.
Description
An issue was discovered on Crestron HD-MD4X2-4K-E 1.0.0.2159 devices. When the administrative web interface of the HDMI switcher is accessed unauthenticated, user credentials are disclosed that are valid to authenticate to the web interface. Specifically, aj.html sends a JSON document with uname and upassword fields.
Exploits (1)
This advisory describes an information disclosure vulnerability in Crestron HD-MD4X2-4K-E devices (version 1.0.0.2159) where unauthenticated access to a specific endpoint reveals admin credentials in plaintext. The exploit involves a simple HTTP request to retrieve the credentials.
Nuclei Templates (1)
References (1)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H