CVE-2025-63435

Xtooltech Xtool AnyScan Android Application 4.40.40 is Missing Authentication for Critical Function. The server-side endpoint responsible for serving update packages for the application does not require any authentication. This allows an unauthenticated remote attacker to freely download official...

CVE-2025-63435

Xtooltech Xtool AnyScan Android Application 4.40.40 is Missing Authentication for Critical Function. The server-side endpoint responsible for serving update packages for the application does not require any authentication. This allows an unauthenticated remote attacker to freely download official...

CISA Warns of Actively Exploited Critical Oracle Identity Manager Zero-Day Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency CISA on Friday added a critical security flaw impacting Oracle Identity Manager to its Known Exploited Vulnerabilities KEV catalog, citing evidence of active exploitation. The vulnerability in question is CVE-2025-61757 CVSS score: 9.8, a...

CISA Adds One Known Exploited Vulnerability to Catalog

CISA has added one new vulnerability to its Known Exploited Vulnerabilities KEV Catalog, based on evidence of active exploitation. CVE-2025-61757link is external Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability This type of vulnerability is a frequent attack...

CVE-2025-11771

CVE-2025-11771 concerns the TokenICO WordPress plugin for Cryptocurrency Launchpad, Presale, ICO/IDO, and Airdrop. The issue arises from missing authentication and capability checks in the createSaleRecord function, allowing unauthenticated modification of presale counters. Affected versions incl...

Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability

Oracle Fusion Middleware contains a missing authentication for critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager...

CVE-2025-64770

CVE-2025-64770 involves unauthenticated access to ONVIF services in affected iCam365 network cameras (e.g., iCam365 P201 and P201 QC021), potentially exposing camera configuration information. The Red Hat and EUVD entries mirror the same description. No concrete patch/version or remediation is sp...

CVE-2025-64770 Missing Authentication for ONVIF in iCam Cameras

The affected products allow unauthenticated access to Open Network Video Interface Forum ONVIF services, which may allow an attacker unauthorized access to camera configuration information...

CVE-2025-63221

The Axel Technology puma devices firmware versions 0.8.5 to 1.0.3 are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system...

CVE-2025-63225

The Eurolab ELTS100UBX device firmware version ELTS100v1.UBX is vulnerable to Broken Access Control due to missing authentication on critical administrative endpoints. Attackers can directly access and modify sensitive system and network configurations, upload firmware, and execute unauthorized...

CVE-2025-63218

The CVE-2025-63218 vulnerability affects Axel Technology WOLF1MS and WOLF2MS devices (firmware 0.8.5–1.0.3). It is caused by Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint, enabling unauthenticated remote attackers to list user accounts, create administr...

EUVD-2025-197988

A missing authentication enforcement vulnerability exists in the mutual TLS mTLS implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due to improper validation of client certificate–based authentication in certain default configurations, the affected components ma...

CVE-2025-59780

General Industrial Controls Lynx+ Gateway is missing critical authentication in the embedded web server which could allow an attacker to send GET requests to obtain sensitive device information...

CVE-2025-64179

lakeFS is an open-source tool that transforms object storage into a Git-like repositories. In versions 1.69.0 and below, missing authentication in the /api/v1/usage-report/summary endpoint allows anyone to retrieve aggregate API usage counts. While no sensitive data is disclosed, the endpoint may...

CVE-2025-58083

General Industrial Controls Lynx+ Gateway is missing critical authentication in the embedded web server which could allow an attacker to remotely reset the device...

CVE-2025-59780 General Industrial Controls Lynx+ Gateway Missing Authentication for Critical Function

General Industrial Controls Lynx+ Gateway is missing critical authentication in the embedded web server which could allow an attacker to send GET requests to obtain sensitive device information...

CVE-2025-59780

CVE-2025-59780 affects the General Industrial Controls Lynx+ Gateway. The connected documents confirm a lack of authentication in the device’s embedded web server, enabling an attacker to send GET requests that could reveal sensitive device information. There are multiple sources (NVD/Red Hat/CNN...

CVE-2025-59780 General Industrial Controls Lynx+ Gateway Missing Authentication for Critical Function

General Industrial Controls Lynx+ Gateway is missing critical authentication in the embedded web server which could allow an attacker to send GET requests to obtain sensitive device information...

CVE-2025-58083

CVE-2025-58083 affects General Industrial Controls Lynx+ Gateway. The embedded web server lacks critical authentication, enabling remote attackers to reset the device. This is supported by multiple advisories (CISA ICSA-25-317-08, EUVD/EU ENISA, Red Hat/RH CVE pages) describing missing authentica...

CVE-2025-58083 General Industrial Controls Lynx+ Gateway Missing Authentication for Critical Function

General Industrial Controls Lynx+ Gateway is missing critical authentication in the embedded web server which could allow an attacker to remotely reset the device...