Firmware Security Vulnerabilities
Mercury A15 V1.0 20230818_1.0.3 was discovered to contain a command execution vulnerability via the component...
9.8CVSS
9.6AI Score
0.001EPSS
TP-LINK TL-WR886N V7.0_3.0.14_Build_221115_Rel.56908n.bin was discovered to contain a stack overflow via the function...
9.8CVSS
9.6AI Score
0.001EPSS
TP-LINK TL-WR886N V7.0_3.0.14_Build_221115_Rel.56908n.bin was discovered to contain a stack overflow via the function...
9.8CVSS
9.6AI Score
0.001EPSS
TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function...
9.8CVSS
9.6AI Score
0.002EPSS
TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function...
9.8CVSS
9.6AI Score
0.002EPSS
TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function...
9.8CVSS
9.6AI Score
0.002EPSS
TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function...
9.8CVSS
9.6AI Score
0.002EPSS
TP-LINK TL-WR886N V7.0_3.0.14_Build_221115_Rel.56908n.bin was discovered to contain a stack overflow via the function...
9.8CVSS
9.6AI Score
0.001EPSS
TP-LINK TL-WR886N V7.0_3.0.14_Build_221115_Rel.56908n.bin was discovered to contain a stack overflow via the function...
9.8CVSS
9.6AI Score
0.001EPSS
TP-LINK TL-WR886N V7.0_3.0.14_Build_221115_Rel.56908n.bin was discovered to contain a stack overflow via the function...
9.8CVSS
9.6AI Score
0.001EPSS
TP-LINK TL-WR886N V7.0_3.0.14_Build_221115_Rel.56908n.bin was discovered to contain a stack overflow via the function...
9.8CVSS
9.6AI Score
0.001EPSS
TP-LINK TL-WR886N V7.0_3.0.14_Build_221115_Rel.56908n.bin was discovered to contain a stack overflow via the function...
9.8CVSS
9.6AI Score
0.001EPSS
TP-LINK TL-WR886N V7.0_3.0.14_Build_221115_Rel.56908n.bin was discovered to contain a stack overflow via the function...
9.8CVSS
9.6AI Score
0.001EPSS
TP-LINK TL-WR886N V7.0_3.0.14_Build_221115_Rel.56908n.bin was discovered to contain a stack overflow via the function...
9.8CVSS
9.6AI Score
0.001EPSS
TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function...
9.8CVSS
9.6AI Score
0.002EPSS
TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function...
9.8CVSS
9.6AI Score
0.002EPSS
TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function...
9.8CVSS
9.6AI Score
0.002EPSS
TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function...
9.8CVSS
9.6AI Score
0.002EPSS
Tenda W18E V16.01.0.8(1576) contains a stack overflow vulnerability via the portMirrorMirroredPorts parameter in the formSetNetCheckTools...
9.8CVSS
9.5AI Score
0.001EPSS
TP-Link device TL-WDR7660 2.0.30 has a stack overflow vulnerability via the function...
9.8CVSS
9.5AI Score
0.0005EPSS
Tenda W18E V16.01.0.8(1576) has a command injection vulnerability via the hostName parameter in the formSetNetCheckTools...
9.8CVSS
9.6AI Score
0.035EPSS
9.8CVSS
9.5AI Score
0.0005EPSS
The Android Client application, when enrolled to the AppHub server, connects to an MQTT broker to exchange messages and receive commands to execute on the HMI device. The protocol builds on top of MQTT to implement the remote management of the device is encrypted with a hard-coded DES symmetric...
8.8CVSS
8.7AI Score
0.001EPSS
The Android Client application, when enrolled to the AppHub server,connects to an MQTT broker without enforcing any server authentication. This issue allows an attacker to force the Android Client application to connect to a malicious MQTT broker, enabling it to send fake messages to the HMI...
8.8CVSS
8.3AI Score
0.001EPSS
The vulnerability allows a low privileged user that have access to the device when locked in Kiosk mode to install an arbitrary Android application and leverage it to have access to critical device settings such as the device power management or eventually the device secure settings (ADB...
6.8CVSS
7AI Score
0.001EPSS
The Android Client application, when enrolled with the define method 1(the user manually inserts the server ip address), use HTTP protocol to retrieve sensitive information (ip address and credentials to connect to a remote MQTT broker entity) instead of HTTPS and this feature is not configurable.....
8.8CVSS
8.2AI Score
0.001EPSS
The Android Client application, when enrolled with the define method 1 (the user manually inserts the server ip address), use HTTP protocol to retrieve sensitive information (ip address and credentials to connect to a remote MQTT broker entity) instead of HTTPS and this feature is not...
8.8CVSS
8.3AI Score
0.0005EPSS
The vulnerability allows a low privileged (untrusted) application to modify a critical system property that should be denied, in order to enable the ADB (Android Debug Bridge) protocol to be exposed on the network, exploiting it to gain a privileged shell on the device without requiring the...
7.9CVSS
7.4AI Score
0.0004EPSS
The vulnerability allows an unprivileged(untrusted) third-party application to interact with a content-provider unsafely exposed by the Android Agent application, potentially modifying sensitive settings of the Android Client application...
7.1CVSS
4AI Score
0.0004EPSS
The vulnerability allows an unprivileged (untrusted) third- party application to arbitrary modify the server settings of the Android Client application, inducing it to connect to an attacker - controlled malicious server.This is possible by forging a valid broadcast intent encrypted with a...
7.8CVSS
7.3AI Score
0.0004EPSS
The vulnerability allows an unprivileged user with access to the subnet of the TPC-110W device to gain a root shell on the device itself abusing the lack of authentication of the ‘su’ binary file installed on the device that can be accessed through the ADB (Android Debug Bridge) protocol exposed...
8.8CVSS
8.8AI Score
0.001EPSS
Authentication Bypass by Capture-replay in SICK Flexi Soft Gateways with Partnumbers 1044073, 1127717, 1130282, 1044074, 1121597, 1099832, 1051432, 1127487, 1069070, 1112296, 1044072, 1121596, 1099830 allows an unauthenticated remote attacker to potentially impact the availability, integrity and...
8.8CVSS
8.8AI Score
0.001EPSS
A vulnerability was found in Viessmann Vitogate 300 up to 2.1.3.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /cgi-bin/. The manipulation leads to direct request. The exploit has been disclosed to the public and may be used. The identifier of...
6.5CVSS
7.9AI Score
0.001EPSS
A vulnerability was found in Byzoro Smart S85F Management Platform up to 20231012. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /importexport.php. The manipulation leads to os command injection. The attack can be launched remotely. The...
9.8CVSS
9.7AI Score
0.001EPSS
A vulnerability was found in Byzoro Smart S85F Management Platform up to 20231010 and classified as critical. This issue affects some unknown processing of the file /sysmanage/importconf.php. The manipulation of the argument btn_file_renew leads to os command injection. The attack may be initiated....
9.8CVSS
9.7AI Score
0.001EPSS
In Weintek's cMT3000 HMI Web CGI device, the cgi-bin codesys.cgi contains a stack-based buffer overflow, which could allow an anonymous attacker to hijack control flow and bypass login...
9.8CVSS
9.4AI Score
0.001EPSS
In Weintek's cMT3000 HMI Web CGI device, an anonymous attacker can execute arbitrary commands after login to the...
8.8CVSS
8.9AI Score
0.0005EPSS
In Weintek's cMT3000 HMI Web CGI device, the cgi-bin command_wb.cgi contains a stack-based buffer overflow, which could allow an anonymous attacker to hijack control flow and bypass login...
9.8CVSS
9.4AI Score
0.001EPSS
D-Link (Non-US) DSL-2750U N300 ADSL2+ and (Non-US) DSL-2730U N150 ADSL2+ are vulnerable to Incorrect Access Control. The UART/Serial interface on the PCB, provides log output and a root terminal without proper access...
6.8CVSS
6.6AI Score
0.001EPSS
Motorola MTM5000 series firmwares lack properly configured memory protection of pages shared between the OMAP-L138 ARM and DSP cores. The SoC provides two memory protection units, MPU1 and MPU2, to enforce the trust boundary between the two cores. Since both units are left unconfigured by the...
8.2CVSS
8.4AI Score
0.0004EPSS
A format string vulnerability exists in Motorola MTM5000 series firmware AT command handler for the AT+CTGL command. An attacker-controllable string is improperly handled, allowing for a write-anything-anywhere scenario. This can be leveraged to obtain arbitrary code execution inside the teds_app.....
9.6CVSS
8.8AI Score
0.001EPSS
The AES implementation in the Texas Instruments OMAP L138 (secure variants), present in mask ROM, suffers from a timing side channel which can be exploited by an adversary with non-secure supervisor privileges by managing cache contents and collecting timing information for different ciphertext...
4.4CVSS
5.7AI Score
0.0004EPSS
The Texas Instruments OMAP L138 (secure variants) trusted execution environment (TEE) lacks a bounds check on the signature size field in the SK_LOAD module loading routine, present in mask ROM. A module with a sufficiently large signature field causes a stack overflow, affecting secure kernel...
8.8CVSS
6.5AI Score
0.0004EPSS
The Texas Instruments OMAP L138 (secure variants) trusted execution environment (TEE) performs an RSA check implemented in mask ROM when loading a module through the SK_LOAD routine. However, only the module header authenticity is validated. An adversary can re-use any correctly signed header and.....
8.8CVSS
6.7AI Score
0.0004EPSS
The Motorola MTM5000 series firmwares generate TETRA authentication challenges using a PRNG using a tick count register as its sole entropy source. Low boottime entropy and limited re-seeding of the pool renders the authentication challenge vulnerable to two attacks. First, due to the limited...
8.8CVSS
6.1AI Score
0.001EPSS
The Motorola MTM5000 series firmwares lack pointer validation on arguments passed to trusted execution environment (TEE) modules. Two modules are used, one responsible for KVL key management and the other for TETRA cryptographic functionality. In both modules, an adversary with non-secure...
8.2CVSS
8.4AI Score
0.0004EPSS
Baker Hughes – Bently Nevada 3500 System TDI Firmware version 5.05 contains a cleartext transmission vulnerability which could allow an attacker to steal the authentication secret from communication traffic to the device and reuse it for arbitrary...
8.2CVSS
8.2AI Score
0.001EPSS
Baker Hughes – Bently Nevada 3500 System TDI Firmware version 5.05 contains a replay vulnerability which could allow an attacker to replay older captured packets of traffic to the device to gain...
6.5CVSS
6.6AI Score
0.0005EPSS
Baker Hughes – Bently Nevada 3500 System TDI Firmware version 5.05 contains a vulnerability in their password retrieval functionality which could allow an attacker to access passwords stored on the...
7.5CVSS
7.5AI Score
0.001EPSS
A potential security vulnerability has been identified in the system BIOS for certain HP PC products which might allow escalation of privilege. HP is releasing firmware updates to mitigate the potential...
7.8CVSS
7.8AI Score
0.0004EPSS