Lucene search
K

81 matches found

EUVD
EUVD
added 2026/06/12 6:10 p.m.9 views

EUVD-2026-36529

The Naxclow platform API that returns device relay registration details exposes a persistent credential without verifying that the requester is the legitimate device or owner. An actor able to present a platform-valid request signature can retrieve credentials for arbitrary devices and register o...

8.7CVSS5.5AI score0.00306EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/12 6:7 p.m.11 views

CVE-2026-50101 Naxclow IoT Platform Not using password aging

Naxclow devices use a server-side, per-device relay credential that never rotates and is re-issued to the device on each boot. Because this credential remains valid indefinitely and cannot be reset or revoked by the legitimate owner, any party that obtains it through any exposure path can maintai...

9.2CVSS5.3AI score0.00281EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.12 views

PT-2026-48958

Name of the Vulnerable Software and Affected Versions Naxclow affected versions not specified Description The platform API that returns device relay registration details fails to verify if the requester is the legitimate device or owner, exposing a persistent credential. An actor capable of...

8.7CVSS5.4AI score0.00306EPSS
Exploits0References4
ICS
ICS
added 2026/06/11 6:0 a.m.29 views

Naxclow IoT Platform

ADVISORY SUMMARY Successful exploitation of these vulnerabilities could allow an attacker to impersonate devices, intercept or manipulate communications, harvest sensitive credentials at scale, or gain unauthorized access. 2. RECOMMENDED PRACTICES CISA recommends users take defensive measures to...

5.7AI score
Exploits0References13
RedhatCVE
RedhatCVE
added 2026/06/05 7:19 p.m.7 views

CVE-2026-5768

The Frontier X2 device allows unauthenticated BLE read/write access to critical GATT characteristics without enforcing pairing authentication or authorization. This allows attackers within BLE range to perform unauthorized control of device functions, including starting/stopping activities,...

8.8CVSS5.5AI score0.0028EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/01 9:17 a.m.9 views

CVE-2026-25599

Missing authentication and clear‑text transmission of data from the heat pumps to the control server, combined with the absence of input validation on aggregated data, can lead to stored XSS that enables theft of cookies from the pump’s web control interface. Older Orca heat pump devices...

6.3CVSS5.9AI score0.00114EPSS
Exploits0References2
CVE
CVE
added 2026/06/01 9:17 a.m.22 views

CVE-2026-25599

CVE-2026-25599 involves Orca heat pump devices communicating with the Orca server over unencrypted HTTP, with missing authentication and input validation on aggregated data. This combination enables stored XSS in the heat pump web control interface and potential cookie theft, as well as attacker ...

6.3CVSS5.9AI score0.00114EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/01 9:17 a.m.12 views

EUVD-2026-33617

Missing authentication and clear‑text transmission of data from the heat pumps to the control server, combined with the absence of input validation on aggregated data, can lead to stored XSS that enables theft of cookies from the pump’s web control interface. Older Orca heat pump devices...

6.3CVSS5.9AI score0.00114EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/01 12:0 a.m.13 views

PT-2026-45397

Missing authentication and clear‑text transmission of data from the heat pumps to the control server, combined with the absence of input validation on aggregated data, can lead to stored XSS that enables theft of cookies from the pump’s web control interface. Older Orca heat pump devices...

6.3CVSS5.9AI score0.00114EPSS
Exploits0References2
NVD
NVD
added 2026/05/29 6:17 p.m.11 views

CVE-2026-5768

The Frontier X2 device allows unauthenticated BLE read/write access to critical GATT characteristics without enforcing pairing authentication or authorization. This allows attackers within BLE range to perform unauthorized control of device functions, including starting/stopping activities,...

8.8CVSS0.0028EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/29 4:58 p.m.34 views

CVE-2026-5768 Fourth Frontier Frontier X Mobile Application, Frontier X2 Missing Authentication for Critical Function

The Frontier X2 device allows unauthenticated BLE read/write access to critical GATT characteristics without enforcing pairing authentication or authorization. This allows attackers within BLE range to perform unauthorized control of device functions, including starting/stopping activities,...

8.8CVSS0.0028EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/29 4:58 p.m.11 views

EUVD-2026-33368

The Frontier X2 device allows unauthenticated BLE read/write access to critical GATT characteristics without enforcing pairing authentication or authorization. This allows attackers within BLE range to perform unauthorized control of device functions, including starting/stopping activities,...

8.8CVSS5.8AI score0.0028EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/29 4:58 p.m.18 views

CVE-2026-5768

The Frontier X2 device allows unauthenticated BLE read/write access to critical GATT characteristics without enforcing pairing authentication or authorization. This allows attackers within BLE range to perform unauthorized control of device functions, including starting/stopping activities,...

8.8CVSS5.8AI score0.0028EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/05/15 7:57 p.m.14 views

CVE-2026-23998

Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet’s Windows MDM management endpoint could allow requests to be processed without proper client certificate validation. In certain circumstances, this could allow an attacker to impersonate an enrolled...

8.2CVSS5.8AI score0.00214EPSS
Exploits0References1
NVD
NVD
added 2026/05/14 7:16 p.m.11 views

CVE-2026-23998

Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet’s Windows MDM management endpoint could allow requests to be processed without proper client certificate validation. In certain circumstances, this could allow an attacker to impersonate an enrolled...

8.2CVSS0.00214EPSS
Exploits0References2
CVE
CVE
added 2026/05/14 6:48 p.m.24 views

CVE-2026-23998

CVE-2026-23998 affects Fleet open-source device management software, specifically the Windows MDM management endpoint. A vulnerability in the endpoint could allow requests without proper client certificate validation to be processed as trusted, enabling an attacker who knows a valid enrolled devi...

8.2CVSS5.8AI score0.00214EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/14 6:48 p.m.8 views

CVE-2026-23998 Fleet has a Windows MDM management endpoint authentication bypass

Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet’s Windows MDM management endpoint could allow requests to be processed without proper client certificate validation. In certain circumstances, this could allow an attacker to impersonate an enrolled...

8.2CVSS5.8AI score0.00214EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/14 6:48 p.m.44 views

CVE-2026-23998 Fleet has a Windows MDM management endpoint authentication bypass

Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet’s Windows MDM management endpoint could allow requests to be processed without proper client certificate validation. In certain circumstances, this could allow an attacker to impersonate an enrolled...

8.2CVSS0.00214EPSS
Exploits0References2
OSV
OSV
added 2026/05/14 1:13 p.m.11 views

GHSA-2RC4-7JC6-QFFH Fleet has a Windows MDM management endpoint authentication bypass

Summary A vulnerability in Fleet’s Windows MDM management endpoint could allow requests to be processed without proper client certificate validation. In certain circumstances, this could allow an attacker to impersonate an enrolled Windows device and retrieve sensitive configuration data. Impact...

8.2CVSS5.8AI score0.00214EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/04/14 7:22 p.m.7 views

CVE-2025-13914

A Key Exchange without Entity Authentication vulnerability in the SSH implementation of Juniper Networks Apstra allows a unauthenticated, MITM attacker to impersonate managed devices. Due to insufficient SSH host key validation an attacker can perform a machine-in-the-middle attack on the SSH...

8.7CVSS5.8AI score0.00281EPSS
Exploits0References1
Rows per page
Query Builder