CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-32457
ON Semiconductor Quantenna router_command.sh (in the get_file_from_qtn argument) Argument Injection
Description: The Quantenna Wi-Fi chipset ships with a local control script, router_command.sh (in the get_file_from_qtn argument), that is vulnerable to command injection. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.7 ( CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) . This issue affects Quantenna Wi-Fi chipset through version 8.0.0.28 of the latest SDK, and appears to be unpatched at the time of this CVE record's first publishing, though the vendor has released a best practices guide for implementors of this chipset.

CVSS: HIGH (7.7)

EPSS Score: 0.12%

Source: CVE
June 8th, 2025 (19 days ago)

CVE-2025-32456
ON Semiconductor Quantenna router_command.sh (in the put_file_to_qtn argument) Argument Injection
Description: The Quantenna Wi-Fi chipset ships with a local control script, router_command.sh (in the put_file_to_qtn argument), that is vulnerable to command injection. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.7 ( CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) . This issue affects Quantenna Wi-Fi chipset through version 8.0.0.28 of the latest SDK, and appears to be unpatched at the time of this CVE record's first publishing, though the vendor has released a best practices guide for implementors of this chipset.

CVSS: HIGH (7.7)

EPSS Score: 0.12%

Source: CVE
June 8th, 2025 (19 days ago)

CVE-2025-32455
ON Semiconductor Quantenna router_command.sh (in the run_cmd argument) Argument Injection
Description: The Quantenna Wi-Fi chipset ships with a local control script, router_command.sh (in the run_cmd argument), that is vulnerable to command injection. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.7 ( CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) . This issue affects Quantenna Wi-Fi chipset through version 8.0.0.28 of the latest SDK, and appears to be unpatched at the time of this CVE record's first publishing, though the vendor has released a best practices guide for implementors of this chipset.

CVSS: HIGH (7.7)

EPSS Score: 0.12%

Source: CVE
June 8th, 2025 (19 days ago)
US infrastructure could crumble under cyberattack, ex-NSA advisor warns
Source: TheRegister
June 8th, 2025 (19 days ago)
New Mirai botnet infect TBK DVR devices via command injection flaw
Description: A new variant of the Mirai malware botnet is exploiting a command injection vulnerability in TBK DVR-4104 and DVR-4216 digital video recording devices to hijack them. [...]
Source: BleepingComputer
June 8th, 2025 (20 days ago)

CVE-2025-5847
Tenda AC9 HTTP POST Request SetRemoteWebCfg formSetSafeWanWebMan stack-based overflow
Description: A vulnerability has been found in Tenda AC9 15.03.02.13 and classified as critical. Affected by this vulnerability is the function formSetSafeWanWebMan of the file /goform/SetRemoteWebCfg of the component HTTP POST Request Handler. The manipulation of the argument remoteIp leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. In Tenda AC9 15.03.02.13 wurde eine Schwachstelle gefunden. Sie wurde als kritisch eingestuft. Dabei geht es um die Funktion formSetSafeWanWebMan der Datei /goform/SetRemoteWebCfg der Komponente HTTP POST Request Handler. Durch das Manipulieren des Arguments remoteIp mit unbekannten Daten kann eine stack-based buffer overflow-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.

CVSS: HIGH (8.8)

EPSS Score: 0.09%

Source: CVE
June 8th, 2025 (20 days ago)
New Supply Chain Malware Operation Hits npm and PyPI Ecosystems, Targeting Millions Globally
Description: Cybersecurity researchers have flagged a supply chain attack targeting over a dozen packages associated with GlueStack to deliver malware. The malware, introduced via a change to "lib/commonjs/index.js," allows an attacker to run shell commands, take screenshots, and upload files to infected machines, Aikido Security told The Hacker News, stating these packages collectively account for nearly 1
Source: TheHackerNews
June 8th, 2025 (20 days ago)
Enterprises are getting stuck in AI pilot hell, say Chatterbox Labs execs
Source: TheRegister
June 8th, 2025 (20 days ago)

CVE-2025-27563
security_access_token has an improper preservation of permissions vulnerability
Description: in OpenHarmony v5.0.3 and prior versions allow a local attacker cause information leak through get permission.

CVSS: LOW (3.3)

EPSS Score: 0.01%

Source: CVE
June 8th, 2025 (20 days ago)

CVE-2025-27247
Pasteboard has an improper preservation of permissions vulnerability
Description: in OpenHarmony v5.0.3 and prior versions allow a local attacker cause information leak through get permission.

CVSS: MEDIUM (5.5)

EPSS Score: 0.01%

Source: CVE
June 8th, 2025 (20 days ago)