Microsoft Windows Extended Security Updates (ESU) Status Detection

SMB login-based detection of the Microsoft Windows Extended Security Updates ESU status. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only...

CVE-2025-34350 UnForm Server < 10.1.15 Doc Flow Unauthenticated File Read

UnForm Server versions 10.1.15 contain an unauthenticated arbitrary file read and SMB coercion vulnerability in the Doc Flow feature’s 'arc' endpoint. The Doc Flow module uses the 'arc' handler to retrieve and render pages or resources specified by the user-supplied 'pp' parameter, but it does so...

kernel: smb: client: fix potential UAF in cifs_stats_proc_write()

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifsstatsprocwrite Skip sessions that are being teared down status == SESEXITING to avoid UAF...

PT-2025-48076

Name of the Vulnerable Software and Affected Versions UnForm Server versions prior to 10.1.15 Description UnForm Server versions prior to 10.1.15 have an unauthenticated arbitrary file read and SMB coercion issue in the Doc Flow feature’s arc endpoint. The Doc Flow module uses the arc handler to...

Microsoft Windows SMB to MSSQL Relay

This module supports running an SMB server which validates credentials, and then attempts to execute a relay attack against an MSSQL server on the configured RHOSTS hosts. If the relay succeeds, an MSSQL session to the target will be created. This can be used by any modules that support MSSQL...

Ubuntu 18.04 LTS / 20.04 LTS : Linux kernel vulnerabilities (USN-7874-1)

The remote Ubuntu 18.04 LTS / 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-7874-1 advisory. Jean-Claude Graf, Sandro Regge, Ali Hajiabadi, and Kaveh Razavi discovered that the Linux kernel contained insufficient branch predictor...

USN-7874-2 linux-fips, linux-aws-fips, linux-gcp-fips vulnerabilities

Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered that the Linux kernel contained insufficient branch predictor isolation between a guest and a userspace hypervisor for certain processors. This flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this t...

USN-7874-1 linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp vulnerabilities

Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered that the Linux kernel contained insufficient branch predictor isolation between a guest and a userspace hypervisor for certain processors. This flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this t...

ROS-20251117-08

Vulnerability of the ksmbdexpiresession function in the fs/smb/server/mgmt/usersession.c module of the in-core CIFS/SMB3 ksmbd server kernel of the Linux operating system is related to reuse of previously of previously freed memory. Exploitation of the vulnerability could allow an attacker to...

curl: Off-by-One Buffer Overflow in SMB Path Handler

Summary Found an off-by-one buffer overflow in lib/smb.c when handling SMB file paths. The bounds check uses instead of =, allowing a path of exactly 1023 bytes to overflow the 1024-byte buffer by one byte when the null terminator is added. Details File: lib/smb.c Function: smbsendopen Lines: 784...

Siemens SIMATIC S7-1500 Use After Free (CVE-2022-43552)

curl can be asked to tunnel virtually all protocols it supports through an HTTP proxy. HTTP proxies can and often do deny such tunnel operations using an appropriate HTTP error response code. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struc...

CVE-2025-11696

A local server-side request forgery SSRF security issue exists within Studio 5000® Simulation Interface™ via the API. This vulnerability allows any Windows user on the system to trigger outbound SMB requests, enabling the capture of NTLM hashes...

CVE-2025-11696 Studio 5000 ® Simulation Interface SSRF

A local server-side request forgery SSRF security issue exists within Studio 5000® Simulation Interface™ via the API. This vulnerability allows any Windows user on the system to trigger outbound SMB requests, enabling the capture of NTLM hashes...

kernel: smb: client: Add check for next_buffer in receive_encrypted_standard()

In the Linux kernel, the following vulnerability has been resolved: smb: client: Add check for nextbuffer in receiveencryptedstandard Add check for the return value of cifsbufget and cifssmallbufget in receiveencryptedstandard to prevent null pointer dereference...

RockyLinux 9 : kernel (RLSA-2025:19105)

The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2025:19105 advisory. kernel: vsock/virtio: Validate length in packet header before skbput CVE-2025-39718 kernel: NFS: Fix filehandle bounds checking in nfsfhtodentry...

smb: client: fix UAF in decryption with multichannel

...

Oracle Linux 8 : kernel (ELSA-2025-19447)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2025-19447 advisory. - smb3: missing lock when picking channel Paulo Alcantara RHEL-109546 CVE-2024-35999 - smb: client: fix potential deadlock when reconnecting channels...

Astra Linux - уязвимость в linux-6.12

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix warning when reconnecting channel When reconnecting a channel in smb2reconnectserver, a dummy tcon is passed down to smb2reconnect with -queryinterface uninitialized, so we can't call queuedelayedwork on it. Fix...

smb: client: Fix refcount leak for cifs_sb_tlink

...

EUVD-2025-36975

In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix refcount leak for cifssbtlink Fix three refcount inconsistency issues related to cifssbtlink. Comments for cifssbtlink state that cifsputtlink needs to be called after successful calls to cifssbtlink. Three calls...