Cyber Resilience

CVE-2019-3929

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 30 April 2019

Published
30 April 2019
Modified
03 November 2025
KEV Added
15 April 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9425 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-3929 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Crestron Am-100 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The CVE-2019-3929 vulnerability is an OS command injection flaw present in the file_transfer.cgi HTTP endpoint of multiple wireless presentation and collaboration devices. Affected products include Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000P firmware 2.3.0.10, Barco wePresent WiPG-1600W before 2.4.1.19, Extron ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7. The issue is tracked under CWE-78 and CWE-79 and carries a CVSS 3.1 score of 9.8.

A remote unauthenticated attacker can send crafted HTTP requests to the endpoint and execute arbitrary operating system commands with root privileges, resulting in full device compromise without any user interaction or authentication.

Public exploit code demonstrating unauthenticated remote command injection against Barco, AWIND OEM, and related platforms has been published via Packet Storm, Exploit-DB, and Tenable research disclosures.

EU & UK References

Vulnerability details

The Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000P firmware 2.3.0.10, Barco wePresent WiPG-1600W before firmware 2.4.1.19, Extron ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox…

more

HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7 are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root.

CWE(s)
KEV Date Added
15 April 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

crestron
am-100 firmware
1.6.0.2
crestron
am-101 firmware
2.7.0.2
barco
wepresent wipg-1000p firmware
2.3.0.10
barco
wepresent wipg-1600w firmware
≤ 2.4.1.19
extron
sharelink 200 firmware
2.0.3.4
extron
sharelink 250 firmware
2.0.3.4
teqavit
wips710 firmware
1.1.0.7
sharp
pn-l703wa firmware
1.4.2.3
optoma
wps-pro firmware
1.0.0.5
blackbox
hd wireless presentation system firmware
1.0.0.5
+2 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks OS command injection in file_transfer.cgi by validating all HTTP input parameters before they reach the shell.

prevent

Enforces access-control policy on the CGI endpoint so that unauthenticated remote requests cannot invoke privileged commands.

prevent

Requires successful identification and authentication before any user or process can reach the vulnerable file_transfer.cgi functionality.

References