Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-12248 |
Description: The affected product is vulnerable to an out-of-bounds write, which could allow an attacker to send specially formatted UDP requests in order to write arbitrary data. This could result in remote code execution.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
January 31st, 2025 (3 months ago)
|
|
CVE-2025-0477 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: FactoryTalk AssetCentre
Vulnerabilities: Inadequate Encryption Strength, Insufficiently Protected Credentials
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to extract passwords, access, credentials, or impersonate other users.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Rockwell Automation FactoryTalk AssetCentre are affected:
FactoryTalk AssetCentre: All versions prior to V15.00.001
3.2 Vulnerability Overview
3.2.1 INADEQUATE ENCRYPTION STRENGTH CWE-326
An encryption vulnerability exists in all versions prior to V15.00.001 of FactoryTalk AssetCentre. The vulnerability exists due to a weak encryption methodology and could allow a threat actor to extract passwords belonging to other users of the application.
CVE-2025-0477 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-0477. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522
A data exposure vulnerability exists in all versions prior to V15.00.001 of FactoryTalk AssetCentre. The vulnerability exists due to storing credentials in the co...
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
January 30th, 2025 (3 months ago)
|
|
CVE-2024-8884 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: Harmony Industrial PC, Pro-face Industrial PC
Vulnerability: Exposure of Sensitive Information to an Unauthorized Actor
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to access sensitive information.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports that the following products are affected:
System Monitor application in Harmony Industrial PC: All versions
System Monitor application in Pro-face Industrial PC: All versions
3.2 Vulnerability Overview
3.2.1 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200
An information exposure vulnerability exists that could cause exposure of credentials when attacker has access to application on network over HTTP.
CVE-2024-8884 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France
3.4 RESEARCHER
Schneider Electric CPCERT reported this vulnerability to CISA.
4. MITIGATIONS
Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:
System Monitor application in Harmony Industrial PC: Users...
CVSS: CRITICAL (9.8)
January 30th, 2025 (3 months ago)
|
|
CVE-2025-21415 |
Description: Authentication bypass by spoofing in Azure AI Face Service allows an authorized attacker to elevate privileges over a network.
CVSS: CRITICAL (9.9) EPSS Score: 0.09%
January 30th, 2025 (3 months ago)
|
|
CVE-2025-20061 |
Description: mySCADA myPRO does not properly neutralize POST requests sent to a specific port with email information. This vulnerability could be exploited by an attacker to execute arbitrary commands on the affected system.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
January 30th, 2025 (3 months ago)
|
|
CVE-2025-20014 |
Description: mySCADA myPRO does not properly neutralize POST requests sent to a specific port with version information. This vulnerability could be exploited by an attacker to execute arbitrary commands on the affected system.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
January 30th, 2025 (3 months ago)
|
|
CVE-2025-0851 |
Description: A path traversal issue in ZipUtils.unzip and TarUtils.untar in Deep Java Library (DJL) on all platforms allows a bad actor to write files to arbitrary locations.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
January 30th, 2025 (3 months ago)
|
|
CVE-2025-0798 |
Description: A vulnerability was found in MicroWorld eScan Antivirus 7.0.32 on Linux. It has been rated as critical. This issue affects some unknown processing of the file rtscanner of the component Quarantine Handler. The manipulation leads to os command injection. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Eine Schwachstelle wurde in MicroWorld eScan Antivirus 7.0.32 für Linux ausgemacht. Sie wurde als kritisch eingestuft. Es geht hierbei um eine nicht näher spezifizierte Funktion der Datei rtscanner der Komponente Quarantine Handler. Dank Manipulation mit unbekannten Daten kann eine os command injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Die Komplexität eines Angriffs ist eher hoch. Die Ausnutzbarkeit gilt als schwierig. Der Exploit steht zur öffentlichen Verfügung.
CVSS: CRITICAL (9.2) EPSS Score: 0.06%
January 30th, 2025 (3 months ago)
|
|
CVE-2025-22604 |
Description: A critical security flaw has been disclosed in the Cacti open-source network monitoring and fault management framework that could allow an authenticated attacker to achieve remote code execution on susceptible instances.
The flaw, tracked as CVE-2025-22604, carries a CVSS score of 9.1 out of a maximum of 10.0.
"Due to a flaw in the multi-line SNMP result parser, authenticated users can inject
CVSS: CRITICAL (9.1) EPSS Score: 0.04%
January 29th, 2025 (3 months ago)
|
|
CVE-2025-24800 |
Description: Hyperbridge is a hyper-scalable coprocessor for verifiable, cross-chain interoperability. A critical vulnerability was discovered in the ismp-grandpa crate, that allowed a malicious prover easily convince the verifier of the finality of arbitrary headers. This could be used to steal funds or compromise other kinds of cross-chain applications. This vulnerability is fixed in 15.0.1.
CVSS: CRITICAL (9.3) EPSS Score: 0.05%
January 29th, 2025 (3 months ago)
|