INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Vulnerabilities in Enterprise Audiovisual Hardware Exploited

| 2026-05-01 00:00 CRITICAL HIGH
JSON
Executive Summary AI-generated
The incident data reveals a sophisticated attack vector, with modern setups including high-resolution video conferencing cameras like the Aver PTC320UV2 and Crestron TSW-1060. These devices can be exploited through remote code execution (RCE), which is described as an authentication bypass in some cases. The attackers can execute arbitrary code via a "SendAction" function, allowing them to inject malicious API calls into the web interface of these cameras. This highlights the importance of vulnerability disclosure and responsible disclosure practices, particularly when researchers themselves may not be certain about the root causes of vulnerabilities.
Technical Mitigations AI-generated
* Implement secure firmware updates to prevent exploitation of the Aver PTC310UV2 firmware vulnerability. * Regularly update and patch web management console software to ensure it remains up-to-date with known vulnerabilities. * Use a Web Application Firewall (WAF) or intrusion detection system (IDS) to detect and block malicious traffic on the web interface.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2018-13341CVE-2018-13341 CVE-2026-26461CVE-2026-26461 CVE-2025-45620CVE-2025-45620 CVE-2025-45619CVE-2025-45619
Target & Sectors
SG
Incident Timeline
‎2019/05/03
Threat actors exploited a known vulnerability in enterprise audiovisual hardware to gain unauthorized access.
tactic T1059.006 - Python
A Python script to do this was already available 7 years ago.
A Python script to do this was already available 7 years ago.
‎May 1, 2026
An attacker used a command injection vulnerability in the Aver PTC310UV2 firmware v.0.1.0000.59 to execute arbitrary code via the SendAction function, allowing them to access various services such as Crestron Terminal Protocol and potentially escalate to a root shell.
organisation DEF
I recently got the opportunity to research some of this equipment to better understand how it’s secured, and found some interesting vulnerabilities along the way, which I presented at the C517 Village at the inaugural DEF CON Singapore.
organisation CVE
For example, the CVE listing says the remote code execution is executed by the `SendAction` function, but this is a _client-side_ JavaScript function that simply sends arbitrary API calls to the web interface.
infrastructure 0.1.0000
An issue in Aver PTC310UV2 firmware v.0.1.0000.59 allows a remote attacker to execute arbitrary code via the SendAction function This is a good example of the confusion that can arise in vulnerability disclosure, especially if the researchers themselves might not be fully certain about the vulnerability’s root causes.
organisation SendAction
An issue in Aver PTC310UV2 firmware v.0.1.0000.59 allows a remote attacker to execute arbitrary code via the SendAction function This is a good example of the confusion that can arise in vulnerability disclosure, especially if the researchers themselves might not be fully certain about the vulnerability’s root causes.
organisation iVar
iVar = GetEngDebugMode(); if ((iVar == 0) && strncmp(mac_str, "DE:AD:BE:EF:12:3", 16) !
organisation IP Address
[number]\r\n",param_4,0xfffffffd,&DAT_000af1bc); SendConsoleResponseToSymproc ("\tnumber - number of hours to block an IP Address, 0 is indefinite, 255 max\r\n", param_4,0xfffffffd,&DAT_000af1bc);
infrastructure Android
Given the ubiquity of these systems, they can be found quite cheaply nowadays on the second-hand market for less than $50 - even though they’re effectively fairly advanced Android tablets that sold for far more when new.
While the TSW-1060 supports custom applications that must be built in a proprietary Crestron HTML5 or SIMPL (which are in themselves worth investigating further because they include bridging APIs to the device backend), it also includes default Android applications for various room-scheduling services.
organisation SIMPL
While the TSW-1060 supports custom applications that must be built in a proprietary Crestron HTML5 or SIMPL (which are in themselves worth investigating further because they include bridging APIs to the device backend), it also includes default Android applications for various room-scheduling services.
organisation Traditional DES
Cracked Hash.Mode........: 1500 (descrypt, DES (Unix), Traditional DES) Hash.
data_breach 2 byte chunking escaped password
Special char escaping - # and @ are backslash-escaped before hashing 2. 7-byte chunking - the (escaped) password is split into 7-byte chunks 3.
data_breach 7 byte
Special char escaping - # and @ are backslash-escaped before hashing 2. 7-byte chunking - the (escaped) password is split into 7-byte chunks 3.
organisation OptionManager
OptionManager.
organisation AV
This is an incredibly simple vulnerability so not worth going too deep, but I thought it was symptomatic of most enterprise AV hardware I have encountered.
organisation FTP
This can include user projects (essentially custom apps on the tablet) and files on the FTP server.
organisation SSH
Yes - there’s a pretty extensive attack surface here, including an FTP server, SSH server, custom Crestron Terminal Protocol, telnet, USB port, a web interface, and more.
organisation Crestron Terminal Protocol
Yes - there’s a pretty extensive attack surface here, including an FTP server, SSH server, custom Crestron Terminal Protocol, telnet, USB port, a web interface, and more.
organisation USB
Yes - there’s a pretty extensive attack surface here, including an FTP server, SSH server, custom Crestron Terminal Protocol, telnet, USB port, a web interface, and more.
organisation Select/List
8021XTRUStedcas Administrator Select/List 802.1x Trusted CA Certificates 8021XUSERname Administrator Configure/View 802.1x User Name.
organisation ADDDOMAINGroup
ADDBLOCKEDip Administrator Add an IP Address to the blocked list ADDDOMAINGroup Administrator Create a new domain group TSW-1060>VERSION TSW-1060
organisation Hashcat
DES crypt per chunk - each chunk is hashed via DES_fcrypt(chunk, “crestronPassword”, output) with a fixed salt of `cr`, producing a 13-character output 4. Concatenation - chunk hashes are concatenated: e.g. an 8-character password produces a 26-character hash Or expressed in Bash: ```bash p='password'; h=''; i=0; while [ $i -lt ${#p} ]; do h+=$(openssl passwd -crypt -salt cr "${p:$i:7}"); i=$((i+7)); done; echo "$h" ``` This is unfortunately extremely easy to crack with Hashcat, taking only 2 seconds with a CPU-only run on an M5 chip.
organisation CPU
DES crypt per chunk - each chunk is hashed via DES_fcrypt(chunk, “crestronPassword”, output) with a fixed salt of `cr`, producing a 13-character output 4. Concatenation - chunk hashes are concatenated: e.g. an 8-character password produces a 26-character hash Or expressed in Bash: ```bash p='password'; h=''; i=0; while [ $i -lt ${#p} ]; do h+=$(openssl passwd -crypt -salt cr "${p:$i:7}"); i=$((i+7)); done; echo "$h" ``` This is unfortunately extremely easy to crack with Hashcat, taking only 2 seconds with a CPU-only run on an M5 chip.
organisation MAC
The password was deterministically-generated based on the device’s MAC address.
organisation SendConsoleResponseToSymproc("SETLOCKOUTTIME
{ // Help strings SendConsoleResponseToSymproc("SETLOCKOUTTIME
organisation boolean exit
It helps a lot to either have a baseline “truth” or a boolean exit criteria for Claude Code to auto-correct itself. !
It helps a lot to either have a baseline “truth” or a boolean exit criteria for Claude Code to auto-correct itself.
organisation AST
Without additional tooling beyond Ghidra, Claude Code was fairly weak at source-to-sink verification - statically, an AST generator or static analyser like `tree-sitter` probably would’ve helped, but I suspect there’s still a fuzzy link needed to “actual exploitable attack surface” that needs dynamic tools like an emulated environment or fuzzing harnesses.
organisation HDCP
SendConsoleResponseToSymproc ("\tNo parameter - Loads HDCP 2x keys
organisation SKE micro
[filename must be /dev/shm/temp/hdcp2xTxRx.keys] \r\n" ,param_4,0,&DAT_000af1bc); pcVar1 = "\t-c [command string] -Sends RCON to SKE micro \r\n"; goto LAB_00063786; } if (*param_3 == '-') { if (param_3[1] !
organisation WebView
It connects directly to a URL in a WebView, but since the URL isn’t configured by default, it instead displays an error page. !
It connects directly to a URL in a WebView, but since the URL isn’t configured by default, it instead displays an error page.
organisation EDR
Many of these devices function as bespoke systems and don’t support installation of additional monitoring or EDR protections out-of-the-box.
data_breach 0 c EthGetMacAddr(mac_bytes
Of course, this has since been “patched”, but only using a simple flag check while keeping the rest of the hard-coded stuff: ```c EthGetMacAddr(mac_bytes, 0); ConvertMacAddressToString(mac_str, mac_bytes, fmt); LocalConvertToUpper(mac_str);
‎2026/05/01
The Crestron TSW-1060 file disclosure and remote code execution vulnerability was discovered by exploiting a hardcoded credential in the camera's API call, which allows an attacker to execute arbitrary commands as root.
organisation API
Interestingly, while both published disclosures describe an authentication bypass (credentials were being retrieved from an unencrypted, unauthenticated API call and then checked _client-side_), the actual CVE listing describes a **remote code execution**. >
Interestingly, while both published disclosures describe an authentication bypass (credentials were being retrieved from an unencrypted, unauthenticated API call and then checked client-side ), the actual CVE listing describes a remote code execution .
organisation Crestron
# Crestron TSW-1060 File Disclosure and Remote Code Execution (CVE Pending) 🔗 Another piece of equipment that often appears in meeting rooms is the office automation tablet, such as the Crestron TSW-1060.
Crestron TSW-1060 File Disclosure and Remote Code Execution (CVE Pending) 🔗 Another piece of equipment that often appears in meeting rooms is the office automation tablet, such as the Crestron TSW-1060.
organisation CVE
For example, the CVE listing says the remote code execution is executed by the SendAction function, but this is a client-side JavaScript function that simply sends arbitrary API calls to the web interface.
organisation Crestron TSW-1060 File Disclosure and
Crestron TSW-1060 File Disclosure and Remote Code Execution (CVE Pending) 🔗 Another piece of equipment that often appears in meeting rooms is the office automation tablet, such as the Crestron TSW-1060.
organisation CVE-2025-45619
An earlier version of this camera, the PTC310UV2, already has two published vulnerabilities, CVE-2025-45619 and CVE-2025-45620, for the web interface.
An earlier version of this camera, the PTC310UV2, already has two published vulnerabilities, CVE-2025-45619 and CVE-2025-45620 , for the web interface.
organisation CVE-2025-45620
An earlier version of this camera, the PTC310UV2, already has two published vulnerabilities, CVE-2025-45619 and CVE-2025-45620, for the web interface.
infrastructure 0.1.0000
An issue in Aver PTC310UV2 firmware v.0.1.0000.59 allows a remote attacker to execute arbitrary code via the SendAction function This is a good example of the confusion that can arise in vulnerability disclosure, especially if the researchers themselves might not be fully certain about the vulnerability’s root causes.
organisation SendAction
An issue in Aver PTC310UV2 firmware v.0.1.0000.59 allows a remote attacker to execute arbitrary code via the SendAction function This is a good example of the confusion that can arise in vulnerability disclosure, especially if the researchers themselves might not be fully certain about the vulnerability’s root causes.
organisation IP Address
\r\n " ; } else if ((param_3 == (byte * ) 0x0 ) || (uVar2 = (uint) * param_3, uVar2 == 0 )) { // Actual function handler GetIpblkLockout( & local_134, 0xffffff84 ,uVar2); if (local_134 == 0 ) { __s = "Indefinite \\ r \\ n" ; } else { iVar3 = __aeabi_idiv(local_134, 0xe10 ); __s = acStack_124; if (iVar3 < 2 ) { __format = "%d hour \r\n " ; } // ... } else if (uVar2 == 0x3f ) { // Help strings SendConsoleResponseToSymproc( "SETLOCKOUTTIME [number] \r\n " ,param_4, 0xfffffffd , & DAT_000af1bc); SendConsoleResponseToSymproc ( " \t number - number of hours to block an IP Address, 0 is indefinite, 255 max \r\n " , param_4, 0xfffffffd , & DAT_000af1bc); SendConsoleResponseToSymproc ( " \t No parameter - display current setting.
infrastructure Android
With the root shell, the possibilities are endless: pivoting into the rest of the IT network, establishing persistence, listening into conversations and recording video using the Android applications… # Challenges of Securing Physical Hardware 🔗 While these are only two examples, they reflect inherent weaknesses across all enterprise audiovisual hardware that make them especially difficult to secure as compared to even an organisation’s internet attack surface.
With the root shell, the possibilities are endless: pivoting into the rest of the IT network, establishing persistence, listening into conversations and recording video using the Android applications… Challenges of Securing Physical Hardware 🔗 While these are only two examples, they reflect inherent weaknesses across all enterprise audiovisual hardware that make them especially difficult to secure as compared to even an organisation’s internet attack surface.
organisation Challenges of Securing Physical
With the root shell, the possibilities are endless: pivoting into the rest of the IT network, establishing persistence, listening into conversations and recording video using the Android applications… # Challenges of Securing Physical Hardware 🔗 While these are only two examples, they reflect inherent weaknesses across all enterprise audiovisual hardware that make them especially difficult to secure as compared to even an organisation’s internet attack surface.
With the root shell, the possibilities are endless: pivoting into the rest of the IT network, establishing persistence, listening into conversations and recording video using the Android applications… Challenges of Securing Physical Hardware 🔗 While these are only two examples, they reflect inherent weaknesses across all enterprise audiovisual hardware that make them especially difficult to secure as compared to even an organisation’s internet attack surface.
organisation CVE-2018-13341
These are locked behind a factory/debug-level `crengsuperuser` user which was the subject of CVE-2018-13341.
organisation CVE-2018
These are locked behind a factory/debug-level crengsuperuser user which was the subject of CVE-2018-13341 .
organisation APK
Image 4: Gingo password dialog Unfortunately, this password is hard-coded by default within the APK in the `strings.xml` file as `gingco`.
Unfortunately, this password is hard-coded by default within the APK in the strings.xml file as gingco .
organisation Home
There’s a pretty active Home Assistant community around these tablets (shoutout especially to `KazWolfe`!).
organisation KazWolfe
There’s a pretty active Home Assistant community around these tablets (shoutout especially to `KazWolfe`!).
There’s a pretty active Home Assistant community around these tablets (shoutout especially to KazWolfe !).
organisation Select/List
8021XTRUStedcas Administrator Select/List 802.1x Trusted CA Certificates 8021XUSERname Administrator Configure/View 802.1x User Name.
organisation Certificate
Administrator Require Validation Of 802.1x Authentication Server ' s Certificate.
organisation iVar
Of course, this has since been “patched”, but only using a simple flag check while keeping the rest of the hard-coded stuff: EthGetMacAddr(mac_bytes, 0 ); ConvertMacAddressToString(mac_str, mac_bytes, fmt); LocalConvertToUpper(mac_str); iVar = GetEngDebugMode();
data_breach 0 c EthGetMacAddr(mac_bytes
Of course, this has since been “patched”, but only using a simple flag check while keeping the rest of the hard-coded stuff: EthGetMacAddr(mac_bytes, 0 ); ConvertMacAddressToString(mac_str, mac_bytes, fmt); LocalConvertToUpper(mac_str); iVar = GetEngDebugMode();
organisation AST
Without additional tooling beyond Ghidra, Claude Code was fairly weak at source-to-sink verification - statically, an AST generator or static analyser like tree-sitter probably would’ve helped, but I suspect there’s still a fuzzy link needed to “actual exploitable attack surface” that needs dynamic tools like an emulated environment or fuzzing harnesses.
organisation HDCP
In any case, the vulnerable command was fairly easy to spot both by human and agentic eyes: void FUN_00063618 (undefined4 param_1,undefined4 param_2, char * param_3,undefined4 param_4) { if ( * param_3 == '?' ) { SendConsoleResponseToSymproc( "HDCP2XLOAD \r\n " ,param_4, 0xfffffffd , & DAT_000af1bc); SendConsoleResponseToSymproc ( " \t No parameter - Loads HDCP 2x keys
organisation SendConsoleResponseToSymproc
In any case, the vulnerable command was fairly easy to spot both by human and agentic eyes: void FUN_00063618 (undefined4 param_1,undefined4 param_2, char * param_3,undefined4 param_4) { if ( * param_3 == '?' ) { SendConsoleResponseToSymproc( "HDCP2XLOAD \r\n " ,param_4, 0xfffffffd , & DAT_000af1bc); SendConsoleResponseToSymproc ( " \t No parameter - Loads HDCP 2x keys
organisation Default Application
= (FILE *)popenCmd(pcVar1,&DAT_0007fbe8); ``` A simple command injection except that it was somewhat less-visible as it wasn’t present in the `HELP` output nor the console auto-complete. ```bash TSW-1060>HDCP2XLOAD -c;whoami; root ``` ## Hardcoded Credentials and Local File Disclosure via Default Application 🔗 As mentioned earlier, the TSW-1060 requires credentials to access the various services once it’s been properly configured.
TSW-1060>HDCP2XLOAD -c;whoami; root Hardcoded Credentials and Local File Disclosure via Default Application 🔗 As mentioned earlier, the TSW-1060 requires credentials to access the various services once it’s been properly configured.
organisation Hashcat
i = $(( i+7 )) ; done ; echo " $h " This is unfortunately extremely easy to crack with Hashcat, taking only 2 seconds with a CPU-only run on an M5 chip.
organisation CPU
i = $(( i+7 )) ; done ; echo " $h " This is unfortunately extremely easy to crack with Hashcat, taking only 2 seconds with a CPU-only run on an M5 chip.
data_breach 7 byte
The function reveals that it uses a weak DES hashing scheme with a fixed cr salt: Special char escaping - # and @ are backslash-escaped before hashing 7-byte chunking - the (escaped) password is split into 7-byte chunks DES crypt per chunk - each chunk is hashed via DES_fcrypt(chunk, “crestronPassword”, output) with a fixed salt of cr , producing a 13-character output Concatenation - chunk hashes are concatenated: e.g. an 8-character password produces a 26-character hash Or expressed in Bash: p = 'password' ; h = '' ; i = 0; while [ $i -lt ${# p } ] ; do h += $( openssl passwd -crypt -salt cr " ${ p : $i : 7 } " ) ;
organisation Time
Fri Apr 17 13:21:40 2026 ( 2 secs ) Time.
organisation Strongly Discouraged
## Patching is Strongly Discouraged 🔗 Audiovisual hardware needs to run 24/7, and downtime is to be avoided at all costs.
organisation Default
When dealing with maybe hundreds of devices in one office, patching becomes almost impossible without significant investments. ## “Insecure by Default” 🔗 Although Crestron’s extensive security hardening guide includes many useful suggestions, as I like to quote from Kelly Shortridge: “Every hardening guide recommendation is a missed opportunity for a safer default.”
organisation EDR
Poor Visibility and Monitoring 🔗 Many of these devices function as bespoke systems and don’t support installation of additional monitoring or EDR protections out-of-the-box.
organisation Poor Visibility
Poor Visibility and Monitoring 🔗 Many of these devices function as bespoke systems and don’t support installation of additional monitoring or EDR protections out-of-the-box.
organisation goto LAB_00063786
= 'c' ) { pcVar1 = "ERROR: this option is not supported \r\n " ; goto LAB_00063786; } pcVar1 = acStack_224; snprintf(pcVar1, 0x200 , "@ske_upgrade@ %s" ,param_3); pFVar2 = (FILE * )popenCmd(pcVar1, & DAT_0007fbe8); A simple command injection except that it was somewhat less-visible as it wasn’t present in the HELP output nor the console auto-complete.
financial $1 $ GetData string
GetData string: $1 With this, a simple unauthenticated ADDRESS OF CAMERA>/action?Get=acc;ls; HTTP request was sufficient to execute arbitrary commands as root , not just bypass authentication.
Tactical Metrics
Metrics
infrastructure
‎0.1.0000
Software Version
An issue in Aver PTC310UV2 firmware v.0.1.0000.59 allows a remote attacker to execute arbitrary code via the SendAction function This is a good example of the confusion that can arise in vulnerability disclosure, especially if the researchers themselves might not be fully certain about the vulnerability’s root causes.
An issue in Aver PTC310UV2 firmware v.0.1.0000.59 allows a remote attacker to execute arbitrary code via the SendAction function This is a good example of the confusion that can arise in vulnerability disclosure, especially if the researchers themselves might not be fully certain about the vulnerability’s root causes.
Metrics
infrastructure
‎Android
Affected Product
Given the ubiquity of these systems, they can be found quite cheaply nowadays on the second-hand market for less than $50 - even though they’re effectively fairly advanced Android tablets that sold for far more when new.
While the TSW-1060 supports custom applications that must be built in a proprietary Crestron HTML5 or SIMPL (which are in themselves worth investigating further because they include bridging APIs to the device backend), it also includes default Android applications for various room-scheduling services.
With the root shell, the possibilities are endless: pivoting into the rest of the IT network, establishing persistence, listening into conversations and recording video using the Android applications… # Challenges of Securing Physical Hardware 🔗 While these are only two examples, they reflect inherent weaknesses across all enterprise audiovisual hardware that make them especially difficult to secure as compared to even an organisation’s internet attack surface.
With the root shell, the possibilities are endless: pivoting into the rest of the IT network, establishing persistence, listening into conversations and recording video using the Android applications… Challenges of Securing Physical Hardware 🔗 While these are only two examples, they reflect inherent weaknesses across all enterprise audiovisual hardware that make them especially difficult to secure as compared to even an organisation’s internet attack surface.
Metrics
data_breach
0
C Ethgetmacaddr(Mac_Bytes
Of course, this has since been “patched”, but only using a simple flag check while keeping the rest of the hard-coded stuff: ```c EthGetMacAddr(mac_bytes, 0); ConvertMacAddressToString(mac_str, mac_bytes, fmt); LocalConvertToUpper(mac_str);
Of course, this has since been “patched”, but only using a simple flag check while keeping the rest of the hard-coded stuff: EthGetMacAddr(mac_bytes, 0 ); ConvertMacAddressToString(mac_str, mac_bytes, fmt); LocalConvertToUpper(mac_str); iVar = GetEngDebugMode();
Metrics
data_breach
2
Byte Chunking Escaped Password
Special char escaping - # and @ are backslash-escaped before hashing 2. 7-byte chunking - the (escaped) password is split into 7-byte chunks 3.
Metrics
data_breach
7
Byte
Special char escaping - # and @ are backslash-escaped before hashing 2. 7-byte chunking - the (escaped) password is split into 7-byte chunks 3.
The function reveals that it uses a weak DES hashing scheme with a fixed cr salt: Special char escaping - # and @ are backslash-escaped before hashing 7-byte chunking - the (escaped) password is split into 7-byte chunks DES crypt per chunk - each chunk is hashed via DES_fcrypt(chunk, “crestronPassword”, output) with a fixed salt of cr , producing a 13-character output Concatenation - chunk hashes are concatenated: e.g. an 8-character password produces a 26-character hash Or expressed in Bash: p = 'password' ; h = '' ; i = 0; while [ $i -lt ${# p } ] ; do h += $( openssl passwd -crypt -salt cr " ${ p : $i : 7 } " ) ;
Metrics
financial
1
$ Getdata String
GetData string: $1 With this, a simple unauthenticated ADDRESS OF CAMERA>/action?Get=acc;ls; HTTP request was sufficient to execute arbitrary commands as root , not just bypass authentication.
Intelligence Sources
Zero Day Fans 2026-05-01
Zero Day Fans 2026-05-01