CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-0960 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: AutomationDirect
Equipment: C-more EA9 HMI
Vulnerability: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition or achieve remote code execution on the affected device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Automation Direct products are affected:
C-more EA9 HMI EA9-T6CL: v6.79 and prior
C-more EA9 HMI EA9-T7CL-R: v6.79 and prior
C-more EA9 HMI EA9-T7CL: v6.79 and prior
C-more EA9 HMI EA9-T8CL: v6.79 and prior
C-more EA9 HMI EA9-T10CL: v6.79 and prior
C-more EA9 HMI EA9-T10WCL: v6.79 and prior
C-more EA9 HMI EA9-T12CL: v6.79 and prior
C-more EA9 HMI EA9-T15CL-R: v6.79 and prior
C-more EA9 HMI EA9-T15CL: v6.79 and prior
C-more EA9 HMI EA9-RHMI: v6.79 and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-120
AutomationDirect C-more EA9 HMI contains a function with bounds checks that can be skipped, which could result in an attacker abusing the function to cause a denial-of-service condition or achieving remote code execution on the affected device.
CVE-2025-0960 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also bee...
EPSS Score: 0.04%
February 4th, 2025 (5 months ago)
|
|
CVE-2024-12399 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 6.1
ATTENTION: Exploitable remotely
Vendor: Schneider Electric
Equipment: Pro-face GP-Pro EX and Remote HMI
Vulnerability: Improper Enforcement of Message Integrity During Transmission in a Communication Channel
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow man-in-the-middle attacks, resulting in information disclosure, integrity issues, and operational failures.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Pro-face GP-Pro EX and Remote HMI are affected:
Pro-face GP-Pro EX: All versions
Pro-face Remote HMI: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER ENFORCEMENT OF MESSAGE INTEGRITY DURING TRANSMISSION IN A COMMUNICATION CHANNEL CWE-924
The affected products are vulnerable to an improper enforcement of message integrity during transmission in a communication channel vulnerability that could cause partial loss of confidentiality, loss of integrity, and availability of the HMI when attacker performs man-in-the-middle attack by intercepting the communication.
CVE-2024-12399 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-12399. A base score of 6.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: E...
EPSS Score: 0.04%
February 4th, 2025 (5 months ago)
|
|
CVE-2024-12476 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Schneider Electric
Equipment: Web Designer for Modicon
Vulnerability: Improper Restriction of XML External Entity Reference
2. RISK EVALUATION
Successful exploitation of this vulnerability could result in information disclosure, workstation integrity and potential remote code execution on the compromised computer.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Web Designer for Modicon are affected:
Web Designer for BMXNOR0200H: All versions
Web Designer for BMXNOE0110(H): All versions
Web Designer for BMENOC0311(C): All versions
Web Designer for BMENOC0321(C): All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611
The affected product is vulnerable to an improper restriction of XML external entity reference vulnerability that could cause information disclosure, impacts to workstation integrity, and potential remote code execution on the compromised computer when a specifically crafted XML file is imported in the Web Designer configuration tool.
CVE-2024-12476 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy, Food and Agriculture, Government Facilities, Transportation Systems, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED:...
EPSS Score: 0.04%
February 4th, 2025 (5 months ago)
|
|
CVE-2024-12142 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v3 8.6
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: Modicon M340 and BMXNOE0100/0110, BMXNOR0200H
Vulnerability: Exposure of Sensitive Information to an Unauthorized Actor
2. RISK EVALUATION
Successful exploitation of this vulnerability could cause information disclosure of a restricted web page, modification of a web page, and a denial of service when specific web pages are modified and restricted functions invoked.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Schneider Electric products, Modicon M340 and BMXNOE0100/0110, BMXNOR0200H, are affected:
Modicon M340 processors (part numbers BMXP34*): All versions
BMXNOE0100: All versions
BMXNOE0110: All versions
BMXNOR0200H: Versions prior to SV1.70IR26
3.2 VULNERABILITY OVERVIEW
3.2.1 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200
The affected products are vulnerable to an exposure of sensitive information to an unauthorized actor vulnerability, which could cause information disclosure of restricted web page, modification of web page, and denial of service when specific web pages are modified and restricted functions invoked.
CVE-2024-12142 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
COUNTRIES/ARE...
EPSS Score: 0.04%
February 4th, 2025 (5 months ago)
|
|
February 4th, 2025 (5 months ago)
|
|
CVE-2024-45195 |
Description: Apache OFBiz contains a forced browsing vulnerability that allows a remote attacker to obtain unauthorized access.
EPSS Score: 75.58%
February 4th, 2025 (5 months ago)
|
|
CVE-2024-29059 |
Description: Microsoft .NET Framework contains an information disclosure vulnerability that exposes the ObjRef URI to an attacker, ultimately enabling remote code execution.
February 4th, 2025 (5 months ago)
|
|
CVE-2018-9276 |
Description: Paessler PRTG Network Monitor contains an OS command injection vulnerability that allows an attacker with administrative privileges to execute commands via the PRTG System Administrator web console.
February 4th, 2025 (5 months ago)
|
|
CVE-2018-19410 |
Description: Paessler PRTG Network Monitor contains a local file inclusion vulnerability that allows a remote, unauthenticated attacker to create users with read-write privileges (including administrator).
February 4th, 2025 (5 months ago)
|
|
|
Description: As the gateways to corporate networks, VPNs are an attractive target for attackers. Learn from Specops Software about how hackers use compromised VPN passwords and how you can protect your organization. [...]
February 4th, 2025 (5 months ago)
|