CVE-2023-38405 in 3-Series Control Systems
Summary
by MITRE • 07/18/2023
On Crestron 3-Series Control Systems before 1.8001.0187, crafting and sending a specific BACnet packet can cause a crash.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/19/2026
The vulnerability identified as CVE-2023-38405 affects Crestron 3-Series Control Systems operating on firmware versions prior to 1.8001.0187, representing a critical security flaw that enables remote code execution through crafted BACnet packets. This issue stems from insufficient input validation within the system's BACnet protocol implementation, specifically when processing incoming network traffic. The vulnerability resides in the system's handling of malformed BACnet frames that are designed to exploit memory management flaws in the underlying network communication stack.
BACnet protocol implementation within Crestron systems follows the ASHRAE 135 standard for building automation and control networks, making this vulnerability particularly concerning for industrial control environments. The flaw manifests when the system receives a specially crafted BACnet packet that triggers a buffer overflow condition or memory corruption within the network processing module. This type of vulnerability maps directly to CWE-121, which describes heap-based buffer overflow conditions, and CWE-125, which addresses out-of-bounds read conditions. The attack vector is network-based, allowing remote exploitation without requiring authentication credentials, making it particularly dangerous in operational technology environments.
The operational impact of this vulnerability extends beyond simple system crashes, as it represents a potential pathway for more sophisticated attacks within industrial control systems. When the system crashes due to malformed BACnet packets, it creates opportunities for denial-of-service conditions that could disrupt critical building automation functions such as HVAC control, lighting management, and security systems. From an attacker perspective, this vulnerability aligns with ATT&CK technique T1203, which involves exploitation of remote services, and T1499, which covers network disruption attacks. The vulnerability affects systems that rely on BACnet for communication between building automation devices, potentially impacting facilities management, smart building operations, and industrial environments where Crestron systems are deployed.
Mitigation strategies for CVE-2023-38405 require immediate firmware updates to version 1.8001.0187 or later, which includes patched BACnet packet validation routines. Network segmentation and firewall rules should be implemented to restrict BACnet traffic to authorized network segments, as specified in NIST SP 800-82 guidelines for industrial control systems. Additionally, implementing network monitoring solutions that can detect anomalous BACnet traffic patterns will help identify potential exploitation attempts. Organizations should also consider disabling BACnet protocols on systems where they are not required, following the principle of least privilege as outlined in ISO/IEC 27001 security standards. Regular vulnerability assessments and penetration testing of industrial control environments should be conducted to identify similar vulnerabilities in other network protocols and system components.