CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-4704 |
Description: A vulnerability was found in PHPGurukul Vehicle Parking Management System 1.13 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/edit-category.php. The manipulation of the argument editid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Eine Schwachstelle wurde in PHPGurukul Vehicle Parking Management System 1.13 gefunden. Sie wurde als kritisch eingestuft. Dies betrifft einen unbekannten Teil der Datei /admin/edit-category.php. Dank Manipulation des Arguments editid mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.
CVSS: HIGH (7.3) EPSS Score: 0.03% SSVC Exploitation: poc
May 15th, 2025 (about 1 month ago)
|
|
CVE-2025-4703 |
Description: A vulnerability has been found in PHPGurukul Vehicle Parking Management System 1.13 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/admin-profile.php. The manipulation of the argument contactnumber leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. In PHPGurukul Vehicle Parking Management System 1.13 wurde eine Schwachstelle gefunden. Sie wurde als kritisch eingestuft. Das betrifft eine unbekannte Funktionalität der Datei /admin/admin-profile.php. Dank der Manipulation des Arguments contactnumber mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung.
CVSS: HIGH (7.3) EPSS Score: 0.03% SSVC Exploitation: poc
May 15th, 2025 (about 1 month ago)
|
|
CVE-2024-52880 |
Description: An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7 before version 05.70.50. In VariableRuntimeDxe driver, SecureBootHandler uses DataSize and VariableNameSize when determining if the data or name are in the buffer, but these are supplied by the caller and therefore cannot be trusted.
CVSS: HIGH (7.9) EPSS Score: 0.02%
May 15th, 2025 (about 1 month ago)
|
|
CVE-2024-52879 |
Description: An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7 before version 05.70.50. In VariableRuntimeDxe driver, SmmUpdateVariablePropertySmi () is a SMM callback function and it uses StrCmp () to compare variable names. This action may cause a buffer over-read.
CVSS: HIGH (7.5) EPSS Score: 0.04%
May 15th, 2025 (about 1 month ago)
|
|
CVE-2024-52878 |
Description: An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7 before version 05.70.50. In VariableRuntimeDxe driver, VariableServicesSetVariable () can be called by gRT_>SetVariable () or the SmmSetSensitiveVariable () or SmmInternalSetVariable () from SMM. In VariableServicesSetVariable (), it uses StrSize () to get variable name size, uses StrLen () to get variable name length and uses StrCmp () to compare strings. These actions may cause a buffer over-read.
CVSS: HIGH (7.5) EPSS Score: 0.04%
May 15th, 2025 (about 1 month ago)
|
|
CVE-2024-0056 |
Description: As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY
CVSS v3 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: INTRALOG WMS
Vulnerabilities: Cleartext Transmission of Sensitive Information, Uncontrolled Resource Consumption, Use After Free, Improper Link Resolution Before File Access ('Link Following'), Improper Input Validation, Inefficient Algorithmic Complexity
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to bypass security features, cause a denial-of-service condition, or execute arbitrary code.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:
Siemens INTRALOG WMS: All versions prior to v5
3.2 VULNERABILITY OVERVIEW
3.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319
Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability
CVE-2024-0056 has been assigned to this vulnerability. A CVSS v3 base score of 8.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N).
3.2.2 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
.NET Denial-of-Service Vulnerability
CVE-2024...
CVSS: HIGH (8.7)
May 15th, 2025 (about 1 month ago)
|
|
CVE-2024-23815 |
Description: As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: Desigo
Vulnerability: Missing Authentication for Critical Function
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL queries on the server database.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:
Siemens Desigo CC: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
The affected server application fails to authenticate specific client requests. Modification of the client binary could allow an unauthenticated remote attacker to execute arbitrary SQL queries on the server database via the event port (default: 4998/tcp) For Desigo CC: If access from Installed Clients to Desigo CC server is only allowed within highly protected zones: Exploitation of this issue requires an attacker to get access to an Installed Client application in the "highly protected zone" (i.e. a physically separated private network), and bypass the hardening measures as described by Des...
CVSS: HIGH (7.5) EPSS Score: 0.04%
May 15th, 2025 (about 1 month ago)
|
|
CVE-2025-32454 |
Description: As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 8.2
ATTENTION: Low Attack Complexity
Vendor: Siemens
Equipment: Teamcenter Visualization
Vulnerability: Out-of-bounds Read
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to execute code in the context of the current process.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:
Siemens Teamcenter Visualization V14.3: All versions prior to V14.3.0.14
Siemens Teamcenter Visualization V2312: All versions prior to V2312.0010
Siemens Teamcenter Visualization V2406: All versions prior to V2406.0008
Siemens Teamcenter Visualization V2412: All versions prior to V2412.0004
3.2 VULNERABILITY OVERVIEW
3.2.1 OUT-OF-BOUNDS READ CWE-125
The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted WRL files. This could allow an attacker to execute code in the context of the current process.
CVE-2025-32454 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score ...
CVSS: HIGH (7.8) EPSS Score: 0.02%
May 15th, 2025 (about 1 month ago)
|
|
CVE-2025-30174 |
Description: As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: User Management Component (UMC)
Vulnerabilities: Out-of-bounds Read, Out-of-bounds Write
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an unauthenticated remote attacker to cause a denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:
Siemens SIMATIC PCS neo V4.1: All versions
Siemens SIMATIC PCS neo V5.0: All versions
Siemens SINEC NMS: All versions
Siemens SINEMA Remote Connect: All versions
Siemens Totally Integrated Automation Portal (TIA Portal) V17: All versions
Siemens Totally Integrated Automation Portal (TIA Portal) V18: All versions
Siemens Totally Integrated Automation Portal (TIA Portal) V19: All versions
Siemens Totally Integrated Automation Portal (TIA Portal) V20: All versions
Siemens User Management Component (UMC): All versions prior to V2.15.1.1
3.2 VULNERABILITY OVERVIEW
3.2.1 OUT-OF-BOUNDS READ CWE-125
The affected products contain a out-of-bound read buffer overflow vulnerability in the integrated UMC componen...
CVSS: HIGH (7.5) EPSS Score: 0.07%
May 15th, 2025 (about 1 month ago)
|
|
CVE-2025-24007 |
Description: As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SIRIUS 3RK3 Modular Safety System (MSS), SIRIUS Safety Relays 3SK2
Vulnerabilities: Use of a Broken or Risky Cryptographic Algorithm, Missing Encryption of Sensitive Data, Incorrect Permission Assignment for Critical Resource
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to retrieve and de-obfuscate safety password, eavesdrop connections, or retrieve sensitive information from certain data records.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:
SIRIUS 3RK3 Modular Safety System (MSS): All versions
SIRIUS Safety Relays 3SK2: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 USE OF A BROKEN OR RISKY CRYPTOGRAPHIC ALGORITHM CWE-327
Affected devices only provide weak password obfuscation. An attacker with network access could retrieve and de-obfuscate the safety password used for protection against inadvertent operating errors.
CVE-2025-24007 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector...
CVSS: HIGH (7.5) EPSS Score: 0.02%
May 15th, 2025 (about 1 month ago)
|