Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-12922 |
Description: The Altair theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check within functions.php in all versions up to, and including, 5.2.4. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
CVSS: CRITICAL (9.8) EPSS Score: 0.07%
March 19th, 2025 (about 1 month ago)
|
|
CVE-2024-11131 |
Description: A vulnerability regarding out-of-bounds read is found in the video interface. This allows remote attackers to execute arbitrary code via unspecified vectors. The following models with Synology Camera Firmware versions before 1.2.0-0525 may be affected: BC500, CC400W and TC500.
CVSS: CRITICAL (9.8) EPSS Score: 0.17%
March 19th, 2025 (about 1 month ago)
|
|
CVE-2024-10442 |
Description: Off-by-one error vulnerability in the transmission component in Synology Replication Service before 1.0.12-0066, 1.2.2-0353 and 1.3.0-0423 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code, potentially leading to a broader impact across the system via unspecified vectors.
CVSS: CRITICAL (10.0) EPSS Score: 0.26%
March 19th, 2025 (about 1 month ago)
|
|
CVE-2024-23486 |
Description: Plaintext storage of a password issue exists in BUFFALO wireless LAN routers, which may allow a network-adjacent unauthenticated attacker with access to the product's login page may obtain configured credentials.
CVSS: CRITICAL (9.8) EPSS Score: 0.42% SSVC Exploitation: none
March 18th, 2025 (about 1 month ago)
|
|
CVE-2024-56347 |
Description: IBM AIX 7.2 and 7.3 nimsh service SSL/TLS protection mechanisms could allow a remote attacker to execute arbitrary commands due to improper process controls.
CVSS: CRITICAL (9.6) EPSS Score: 0.07%
March 18th, 2025 (about 1 month ago)
|
|
CVE-2024-56346 |
Description: IBM AIX 7.2 and 7.3 nimesis NIM master service could allow a remote attacker to execute arbitrary commands due to improper process controls.
CVSS: CRITICAL (10.0) EPSS Score: 0.09%
March 18th, 2025 (about 1 month ago)
|
|
CVE-2025-1960 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 9.2
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: WebHMI – Deployed with EcoStruxure Power Automation System
Vulnerability: Initialization of a Resource with an Insecure Default
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow unauthorized access to the underlying software application running WebHMI.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports the following products are affected because they use WebHMI v4.1.0.0 and prior:
EcoStruxure Power Automation System: Versions 2.6.30.19 and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 Initialization of a Resource with an Insecure Default CWE-1188
An initialization of a resource with an insecure default vulnerability exists that could cause an attacker to execute unauthorized commands when a system's default password credentials have not been changed on first use. The default username is not displayed correctly in the WebHMI interface.
CVE-2025-1960 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-1960. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, En...
CVSS: CRITICAL (9.2) EPSS Score: 0.06%
March 18th, 2025 (about 1 month ago)
|
|
CVE-2025-22224 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 9.4
ATTENTION: Low attack complexity/public exploits are available/known public exploitation
Vendor: Rockwell Automation
Equipment: Industrial Data Center (IDC) with VMware, VersaVirtual Appliance (VVA) with VMware, Threat Detection Managed Services (TDMS) with VMware, Endpoint Protection Service with RA Proxy & VMware, Engineered and Integrated Solutions with VMware
Vulnerabilities: Time-of-check Time-of-use (TOCTOU) Race Condition, Write-what-where Condition, Out-of-bounds Read
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker with local administrative privileges to execute code.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Rockwell Automation Lifecycle Services with VMware are affected:
Industrial Data Center (IDC) with VMware: Generations 1 through 4
VersaVirtual Appliance (VVA) with VMware: Series A and B
Threat Detection Managed Services (TDMS) with VMware: All versions
Endpoint Protection Service with RA Proxy & VMware only: All versions
Engineered and Integrated Solutions with VMware: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 TIME-OF-CHECK TIME-OF-USE (TOCTOU) RACE CONDITION CWE-367
A time of check time of use (TOCTOU) vulnerability exists in VMware ESXi, which the affected products use. Exploitation of the vulnerability can allow a threat actor with local administrative privileges to execute code as the virtual machine's VMX process running on the host....
CVSS: CRITICAL (9.3) EPSS Score: 24.22%
March 18th, 2025 (about 1 month ago)
|
|
CVE-2024-11482 |
Description: A vulnerability in ESM 11.6.10 allows unauthenticated access to the internal Snowservice API and enables remote code execution through command injection, executed as the root user.
CVSS: CRITICAL (9.8) EPSS Score: 0.85% SSVC Exploitation: none
March 18th, 2025 (about 1 month ago)
|
|
Description: A critical security vulnerability has been disclosed in AMI's MegaRAC Baseboard Management Controller (BMC) software that could allow an attacker to bypass authentication and carry out post-exploitation actions.
The vulnerability, tracked as CVE-2024-54085, carries a CVSS v4 score of 10.0, indicating maximum severity.
"A local or remote attacker can exploit the vulnerability by accessing the
CVSS: CRITICAL (10.0) EPSS Score: 0.1%
March 18th, 2025 (about 1 month ago)
|