CVE-2022-23178
published 2022-01-15CVE-2022-23178: An issue was discovered on Crestron HD-MD4X2-4K-E 1.0.0.2159 devices. When the administrative web interface of the HDMI switcher is accessed unauthenticated…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
75.71%
99.5th percentile
An issue was discovered on Crestron HD-MD4X2-4K-E 1.0.0.2159 devices. When the administrative web interface of the HDMI switcher is accessed unauthenticated, user credentials are disclosed that are valid to authenticate to the web interface. Specifically, aj.html sends a JSON document with uname and upassword fields.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| crestron | hd-md4x2-4k-e_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
HTTP GET /aj.html?a=devi returning JSON body containing '"uname":' and '"upassword":'
- →Unauthenticated GET request to /aj.html?a=devi on Crestron HD-MD4X2-4K-E devices returns a JSON body containing plaintext credentials in 'uname' and 'upassword' fields — monitor for this response pattern on the network. ↗
- →Detect exploitation attempts by alerting on HTTP 200 responses to /aj.html that contain both '"uname":' and '"upassword":' in the response body. ↗
- →The vulnerability requires no authentication (PR:N, UI:N); any unauthenticated client visiting the device web interface will automatically trigger the credential-leaking request to aj.html. ↗
- →Post-disclosure access allows firmware upload/install; monitor for subsequent firmware upload requests following successful credential retrieval from aj.html. ↗
- ·No fix is available; the vendor confirmed the vulnerability will not be corrected. Mitigation is limited to network-level access restriction (e.g., firewall). ↗
- ·The vendor recommended migrating to the HD-MD-4KZ as an alternative device, as the HD-MD4X2-4K-E does not support Crestron's security practices. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8h93-v6rj-jm76: An issue was discovered on Crestron HD-MD4X2-4K-E 1
ghsa_unreviewed·2022-01-16
CVE-2022-23178 [CRITICAL] CWE-287 GHSA-8h93-v6rj-jm76: An issue was discovered on Crestron HD-MD4X2-4K-E 1
An issue was discovered on Crestron HD-MD4X2-4K-E 1.0.0.2159 devices. When the administrative web interface of the HDMI switcher is accessed unauthenticated, user credentials are disclosed that are valid to authenticate to the web interface. Specifically, aj.html sends a JSON document with uname and upassword fields.
VulnCheck
crestron hd-md4x2-4k-e_firmware Improper Authentication
vulncheck·2022·CVSS 9.8
CVE-2022-23178 [CRITICAL] crestron hd-md4x2-4k-e_firmware Improper Authentication
crestron hd-md4x2-4k-e_firmware Improper Authentication
An issue was discovered on Crestron HD-MD4X2-4K-E 1.0.0.2159 devices. When the administrative web interface of the HDMI switcher is accessed unauthenticated, user credentials are disclosed that are valid to authenticate to the web interface. Specifically, aj.html sends a JSON document with uname and upassword fields.
Affected: crestron hd-md4x2-4k-e_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-06-26&host_type=src&vulnerability=cve-2022-23178; https://dashboard.shadowserver.org/statistics/honeypot/vulnerabil
No detection rules found.
Exploit-DB
Creston Web Interface 1.0.0.2159 - Credential Disclosure
exploitdb·2022-01-18·CVSS 9.8
CVE-2022-23178 [CRITICAL] Creston Web Interface 1.0.0.2159 - Credential Disclosure
Creston Web Interface 1.0.0.2159 - Credential Disclosure
---
# Exploit Title: Creston Web Interface 1.0.0.2159 - Credential Disclosure
# Exploit Author: RedTeam Pentesting GmbH
Advisory: Credential Disclosure in Web Interface of Crestron Device
When the administrative web interface of the Crestron HDMI switcher is
accessed unauthenticated, user credentials are disclosed which are valid
to authenticate to the web interface.
Details
Product: Crestron HD-MD4X2-4K-E
Affected Versions: 1.0.0.2159
Fixed Versions: -
Vulnerability Type: Information Disclosure
Security Risk: high
Vendor URL: https://de.crestron.com/Products/Video/HDMI-Solutions/HDMI-Switchers/HD-MD4X2-4K-E
Vendor Status: decided not to fix
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-009
Advisory Sta
Nuclei
Crestron Device - Credentials Disclosure
nuclei·CVSS 9.8
CVE-2022-23178 [CRITICAL] Crestron Device - Credentials Disclosure
Crestron Device - Credentials Disclosure
An issue was discovered on Crestron HD-MD4X2-4K-E 1.0.0.2159 devices. When the administrative web interface of the HDMI switcher is accessed unauthenticated, user credentials are disclosed that are valid to authenticate to the web interface. Specifically, aj.html sends a JSON document with uname and upassword fields.
Template:
id: CVE-2022-23178
info:
name: Crestron Device - Credentials Disclosure
author: gy741
severity: critical
description: An issue was discovered on Crestron HD-MD4X2-4K-E 1.0.0.2159 devices. When the administrative web interface of the HDMI switcher is accessed unauthenticated, user credentials are disclosed that are valid to authenticate to the web interface. Specifically, aj.html sends a JSON document with uname and upasswo
No writeups or analysis indexed.
2022-01-15
Published
Exploited in the wild