The Crestron AirMedia AM-100 with firmware prior to version 126.96.36.199 is vulnerable to path traversal and command injection.
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - CVE-2016-5639
An unauthenticated remote user may be able to access arbitrary files from the device filesystem, or execute arbitrary OS commands on the device.
Apply an update
Thanks to Zach Lanier of Cylance, Inc., for reporting this vulnerability.
This document was written by Garret Wassermann.