CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-48018 |
Description: An authenticated user can modify application state data.
CVSS: HIGH (7.5) EPSS Score: 0.02% SSVC Exploitation: none
May 20th, 2025 (27 days ago)
|
|
CVE-2025-48014 |
Description: Password guessing limits could be bypassed when using LDAP authentication.
CVSS: HIGH (7.5) EPSS Score: 0.05% SSVC Exploitation: none
May 20th, 2025 (27 days ago)
|
|
CVE-2025-41450 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 7.3
ATTENTION: Exploitable remotely
Vendor: Danfoss
Equipment: AK-SM 8xxA Series
Vulnerability: Improper Authentication
2. RISK EVALUATION
Successful exploitation of this vulnerability could enable a remote attacker to bypass authentication and execute arbitrary code remotely.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of AK-SM 800A system manager are affected:
AK-SM 8xxA Series: Versions prior to R4.2
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER AUTHENTICATION CWE-287
An unauthorized access vulnerability, caused by datetime-based password generation, could potentially result in an authentication bypass.
CVE-2025-41450 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:H).
A CVSS v4 score has also been calculated for CVE-2025-41450. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Denmark
3.4 RESEARCHER
Tomer Goldschmidt of Claroty Team82 reported this vulnerability to CISA.
4. MITIGATIONS
Danfoss has created release R4.2 to address this vulnerability. Users can obtain and install the latest version by following the AK-SM 800A Software Upgrade Process.
For more information, please s...
CVSS: HIGH (8.2) EPSS Score: 0.05%
May 20th, 2025 (27 days ago)
|
|
CVE-2025-2875 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: Modicon Controllers M241/M251/M258/LMC058
Vulnerability: Externally Controlled Reference to a Resource in Another Sphere
2. RISK EVALUATION
Successful exploitation of this vulnerability could cause a loss of confidentiality when an unauthenticated attacker manipulates a controller's webserver URL to access resources.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports that the following products are affected:
Schneider Electric Modicon Controllers M241: Versions prior to 5.3.12.48
Schneider Electric Modicon Controllers M251: Versions prior to 5.3.12.48
Schneider Electric Modicon Controllers M258: All versions
Schneider Electric Modicon Controllers LMC058: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 EXTERNALLY CONTROLLED REFERENCE TO A RESOURCE IN ANOTHER SPHERE CWE-610
CWE-610: Externally Controlled Reference to a Resource in Another Sphere vulnerability exists that could cause a loss of confidentiality when an unauthenticated attacker manipulates a controller's webserver URL to access resources.
CVE-2025-2875 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-2875. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L...
CVSS: HIGH (7.5) EPSS Score: 0.08%
May 20th, 2025 (27 days ago)
|
|
CVE-2025-30417 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 8.4
ATTENTION: Low attack complexity
Vendor: National Instruments
Equipment: Circuit Design Suite
Vulnerabilities: Out-of-bounds Write, Out-of-bounds Read, Stack-based Buffer Overflow
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to disclose information or execute arbitrary code.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following National Instruments products are affected:
Circuit Design Suite: Versions 14.3.0 and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 OUT-OF-BOUNDS WRITE CWE-787
An out-of-bounds write vulnerability in DecodeBase64() within Circuit Design Suite, caused by improper input validation, may result in arbitrary code execution. To exploit this flaw, an attacker must trick a user into opening a specially crafted SYM file.
CVE-2025-30417 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-30417. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 OUT-OF-BOUNDS WRITE CWE-787
An out-of-bounds write vulnerability in CheckPins() within Circuit Design Suite, caused by improper input validation, may result in arbitrary code execution. To exploit this flaw, an attacker must trick a user into opening a specially crafted SYM file.
CVE-2025-30418 h...
CVSS: HIGH (7.8) EPSS Score: 0.02%
May 20th, 2025 (27 days ago)
|
|
CVE-2025-47941 |
Description: TYPO3 is an open source, PHP based web content management system. In versions on the 12.x branch prior to 12.4.31 LTS and the 13.x branch prior to 13.4.2 LTS, the multifactor authentication (MFA) dialog presented during backend login can be bypassed due to insufficient enforcement of access restrictions on all backend routes. Successful exploitation requires valid backend user credentials, as MFA can only be bypassed after successful authentication. Users should update to TYPO3 version 12.4.31 LTS or 13.4.12 LTS to fix the problem.
CVSS: HIGH (7.2) EPSS Score: 0.09% SSVC Exploitation: none
May 20th, 2025 (27 days ago)
|
|
CVE-2025-47940 |
Description: TYPO3 is an open source, PHP based web content management system. Starting in version 10.0.0 and prior to versions 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, administrator-level backend users without system maintainer privileges can escalate their privileges and gain system maintainer access. Exploiting this vulnerability requires a valid administrator account. Users should update to TYPO3 version 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem.
CVSS: HIGH (7.2) EPSS Score: 0.05% SSVC Exploitation: none
May 20th, 2025 (27 days ago)
|
|
CVE-2025-41225 |
Description: The vCenter Server contains an authenticated command-execution vulnerability. A malicious actor with privileges to create or modify alarms and run script action may exploit this issue to run arbitrary commands on the vCenter Server.
CVSS: HIGH (8.8) EPSS Score: 0.02%
May 20th, 2025 (27 days ago)
|
|
CVE-2024-5124 |
Description: A timing attack vulnerability exists in the gaizhenbiao/chuanhuchatgpt repository, specifically within the password comparison logic. The vulnerability is present in version 20240310 of the software, where passwords are compared using the '=' operator in Python. This method of comparison allows an attacker to guess passwords based on the timing of each character's comparison. The issue arises from the code segment that checks a password for a particular username, which can lead to the exposure of sensitive information to an unauthorized actor. An attacker exploiting this vulnerability could potentially guess user passwords, compromising the security of the system.
CVSS: HIGH (7.5) EPSS Score: 31.24% SSVC Exploitation: poc
May 20th, 2025 (27 days ago)
|
|
CVE-2024-53359 |
Description: An issue in Zalo v23.09.01 allows attackers to obtain sensitive user information via a crafted GET request.
CVSS: HIGH (7.5) EPSS Score: 0.04%
May 20th, 2025 (27 days ago)
|