Obscure MCP API in Comet Browser Breaches User Trust, Enabling Full Device Control via AI Browsers

Palo Alto, California, 19th November 2025, CyberNewsWire...

CVE-2025-63219

The ITEL ISO FM SFN Adapter firmware ISO2 2.0.0.0, WebServer 2.0 is vulnerable to session hijacking due to improper session management on the /home.html endpoint. An attacker can access an active session without authentication, allowing them to control the device, modify configurations, and...

CVE-2025-63219

The CVE-2025-63219 issue affects the ITEL ISO FM SFN Adapter, specifically firmware ISO2 2.0.0.0 and WebServer 2.0. The root cause is improper/session management on the /home.html endpoint, allowing an unauthenticated user to hijack an active session and potentially control the device and modify ...

Eurolab ELTS100_UBX 安全漏洞

The Eurolab ELTS100UBX is a network connectivity device from Eurolab Italy. A security vulnerability exists in the Eurolab ELTS100UBX ELTS100v1.UBX version, which stems from a lack of authentication of critical management endpoints and could lead to full device control...

Itel DAB MUX 安全漏洞

Itel DAB MUX is an encoding and multiplexing all-in-one device from Itel, Italy. A security vulnerability exists in the Itel DAB MUX build c041640a version, which stems from improper JWT authentication and could lead to authentication bypass and full device control...

METZ CONNECT多款产品 安全漏洞

METZ CONNECT Energy-Controlling EWIO2-M and others are products of METZ CONNECT, Germany.METZ CONNECT Energy-Controlling EWIO2-M is a high performance data logger.METZ CONNECT Energy- Controlling EWIO2-M-BM is a high performance data logger.METZ CONNECT Ethernet-IO EWIO2-BM is a sensor and actuat...

CVE-2025-29270

Incorrect access control in the realtime.cgi endpoint of Deep Sea Electronics devices DSE855 v1.1.0 to v1.1.26 allows attackers to gain access to the admin panel and complete control of the device...

EUVD-2025-37375

Incorrect access control in the realtime.cgi endpoint of Deep Sea Electronics devices DSE855 v1.1.0 to v1.1.26 allows attackers to gain access to the admin panel and complete control of the device...

CVE-2025-29270

Incorrect access control in the realtime.cgi endpoint of Deep Sea Electronics devices DSE855 v1.1.0 to v1.1.26 allows attackers to gain access to the admin panel and complete control of the device...

PT-2025-44641

Name of the Vulnerable Software and Affected Versions Deep Sea Electronics DSE855 versions 1.1.0 through 1.1.26 Description A flaw exists in access control within the realtime.cgi endpoint of Deep Sea Electronics devices. This allows attackers to access the admin panel and gain complete control o...

Deep Sea Electronics DSE855 安全漏洞

Deep Sea Electronics DSE855 is a USB to Ethernet communication device from Deep Sea Electronics, UK. A security vulnerability exists in the Deep Sea Electronics DSE855 versions 1.1.0 through 1.1.26, which stems from improper access control of the realtime.cgi endpoint, and could allow an attacker...

EUVD-2025-36692

An issue discovered in Dyson App v6.1.23041-23595 allows unauthenticated attackers to control other users' Dyson IoT devices remotely via MQTT...

ASKI Energy ALS-Mini-S8 and ALS-Mini-S4

RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to gain full control over the device. 2. RECOMMENDED PRACTICES CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as: Minimize network exposure for...

CVE-2025-6949

CVE-2025-6949 affects Moxa’s network security appliances and routers. The vulnerability is an authorization flaw in the API that allows an authenticated, low-privileged user to create a new administrator account (including usernames matching existing users), potentially granting full administrati...

CVE-2025-6949

An Execution with Unnecessary Privileges vulnerability has been identified in Moxa’s network security appliances and routers. A critical authorization flaw in the API allows an authenticated, low-privileged user to create a new administrator account, including accounts with usernames identical to...

DBLTek GoIP 安全漏洞

DBLTek GoIP is a voice gateway device from Deborah DBLTek China. A security vulnerability exists in the DBLTek GoIP that stems from an undocumented vendor backdoor in the Telnet management interface that could lead to remote code execution and full control of the device...

CVE-2016-15047

AVTECH devices that include the CloudSetup.cgi management endpoint are vulnerable to authenticated OS command injection. The exefile parameter in CloudSetup.cgi is passed to the underlying system command execution without proper validation or whitelisting. An authenticated attacker who can invoke...

CVE-2025-27049

Transient DOS while processing IOCTL call for image encoding...

EUVD-2016-10792

AVTECH devices that include the CloudSetup.cgi management endpoint are vulnerable to authenticated OS command injection. The exefile parameter in CloudSetup.cgi is passed to the underlying system command execution without proper validation or whitelisting. An authenticated attacker who can invoke...

CVE-2016-15047 AVTECH CloudSetup.cgi Authenticated Command Injection

AVTECH devices that include the CloudSetup.cgi management endpoint are vulnerable to authenticated OS command injection. The exefile parameter in CloudSetup.cgi is passed to the underlying system command execution without proper validation or whitelisting. An authenticated attacker who can invoke...