A hidden console command is vulnerable to command injection
flaw when control characters are passed to its second argument. 

A third party researcher Eugene Lim had discovered vulnerability
in the way console command passes to a popen function call. Attackers with
authenticated access to SSH console of Crestron devices may use to run
underlying OS commands.