CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-50819 |
Description: Directory traversal vulnerability in beiyuouo arxiv-daily thru 2025-05-06 (commit fad168770b0e68aef3e5acfa16bb2e7a7765d687) when parsing the the topic.yml file in the generation logic in daily_arxiv.py.
SSVC Exploitation: poc
July 15th, 2025 (about 4 hours ago)
|
|
CVE-2024-42650 |
Description: NanoMQ 0.17.5 was discovered to contain a segmentation fault via the component /nanomq/pub_handler.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted PUBLISH message.
July 15th, 2025 (about 4 hours ago)
|
|
Description: ProActive Solutions USA falls victim to Qilin Ransomware
July 15th, 2025 (about 4 hours ago)
|
|
CVE-2019-9262 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 9.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Hitachi Energy
Equipment: Energy Asset Suite
Vulnerabilities: Incomplete List of Disallowed Inputs, Plaintext Storage of a Password, Out-of-bounds Write, Release of Invalid Pointer or Reference
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access to the target equipment, perform remote code executions, or escalate privileges.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Hitachi Energy reports that the following products are affected:
Asset Suite AnyWhere for Inventory (AWI) Android mobile app: Versions 11.5 and prior (CVE-2019-9262, CVE-2019-9429, CVE-2019-9256, CVE-2019-9290)
Asset Suite 9 series: Version 9.6.4.4 (CVE-2025-1484, CVE-2025-2500)
Asset Suite 9 series: Version 9.7 (CVE-2025-2500)
3.2 VULNERABILITY OVERVIEW
3.2.1 INCOMPLETE LIST OF DISALLOWED INPUTS CWE-184
A vulnerability exists in the media upload component of the Asset Suite versions listed above. If successfully exploited an attacker could impact the confidentiality or integrity of the system. An attacker can use this vulnerability to construct a request that will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
CVE-2025-1484 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is ...
CVSS: HIGH (8.8)
July 15th, 2025 (about 4 hours ago)
|
|
CVE-2025-7357 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: LITEON
Equipment: IC48A and IC80A
Vulnerability: Plaintext Storage of a Password
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to access sensitive information when accessing the Liteon EV chargers.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of LITEON EV chargers are affected:
LITEON IC48A: Firmware versions prior to 01.00.19r
LITEON IC80A: Firmware versions prior to 01.01.12e
3.2 VULNERABILITY OVERVIEW
3.2.1 PLAINTEXT STORAGE OF A PASSWORD CWE-256
LITEON IC48A firmware versions prior to 01.00.19r and LITEON IC80A firmware versions prior to 01.01.12e store FTP-server-access-credentials in cleartext in their system logs.
CVE-2025-7357 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-7357. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy, Transportation Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan
3.4 RESEARCHER
Murat Sagdullaev of Electrada reported this vulnerability to CISA.
4. MITIGATIONS
LITEON has released the following firmware versions for the foll...
July 15th, 2025 (about 4 hours ago)
|
|
CVE-2025-6074 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 8.2
ATTENTION: Exploitable remotely/low attack complexity
Vendor: ABB
Equipment: RMC-100
Vulnerabilities: Use of Hard-coded Cryptographic Key, Stack-based Buffer Overflow
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to gain unauthenticated access to the MQTT configuration data, cause a denial-of-service condition on the MQTT configuration web server (REST interface), or decrypt encrypted MQTT broker credentials.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
ABB reports the following versions of RMC-100 with the REST interface are affected. The vulnerabilities are only present when the REST interface is enabled. This interface is disabled by default:
RMC-100: 2105457-043 through 2105457-045
RMC-100 LITE: 2106229-015 through 2106229-016
3.2 VULNERABILITY OVERVIEW
3.2.1 USE OF HARD-CODED CRYPTOGRAPHIC KEY CWE-321
When the REST interface is enabled by the user, and an attacker gains access to the source code and the control network, the attacker can bypass REST interface authentication and gain access to MQTT configuration data.
CVE-2025-6074 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2025-6074. A base score of 6.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA...
CVSS: MEDIUM (6.3)
July 15th, 2025 (about 4 hours ago)
|
|
Description: Summary
When using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console" operation and a template string.
Impact
Malicious admins can log sensitive data from other users when they are created or updated.
Workarounds
Avoid logging sensitive data to the console outside the context of development.
References
https://github.com/directus/directus/security/advisories/GHSA-x3vm-88hf-gpxp
https://nvd.nist.gov/vuln/detail/CVE-2025-53885
https://github.com/directus/directus/pull/25355
https://github.com/directus/directus/commit/859f664f56fb50401c407b095889cea38ff580e5
https://github.com/directus/directus/releases/tag/v11.9.0
https://github.com/advisories/GHSA-x3vm-88hf-gpxp
CVSS: MEDIUM (4.2)
July 15th, 2025 (about 4 hours ago)
|
|
|
Description: Summary
When using Directus Flows with the WebHook trigger, all incoming request details are logged including security sensitive data like access and refresh tokens in cookies.
Impact
Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them triggering the Flow.
References
https://github.com/directus/directus/security/advisories/GHSA-f24x-rm6g-3w5v
https://nvd.nist.gov/vuln/detail/CVE-2025-53886
https://github.com/directus/directus/commit/859f664f56fb50401c407b095889cea38ff580e5
https://github.com/directus/directus/releases/tag/v11.9.0
https://github.com/advisories/GHSA-f24x-rm6g-3w5v
CVSS: MEDIUM (4.5)
July 15th, 2025 (about 4 hours ago)
|
|
|
Description: Summary
The exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the /server/specs/oas endpoint without authentication.
Impact
With the exact version information a malicious attacker can look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version.
References
https://github.com/directus/directus/security/advisories/GHSA-rmjh-cf9q-pv7q
https://nvd.nist.gov/vuln/detail/CVE-2025-53887
https://github.com/directus/directus/pull/25353
https://github.com/directus/directus/commit/e74f3e4e92edc33b5f83eefb001a3d2a85af17a3
https://github.com/directus/directus/releases/tag/v11.9.0
https://github.com/advisories/GHSA-rmjh-cf9q-pv7q
CVSS: MEDIUM (5.3)
July 15th, 2025 (about 4 hours ago)
|
|
|
Description: Summary
Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to the Flow executing potential tasks on the attacker's behalf without authenticating.
Impact
Bad actors could execute the manual trigger Flows without authentication, or access rights to the said collection(s) or item(s).
Users with manual trigger Flows configured are impacted as these endpoints do not currently validate if the user has read access to directus_flows or to the relevant collection/items. The manual trigger Flows should have tighter security requirements as compared to webhook Flows where users are expected to perform do their own checks.
Workarounds
Users have to implement permission checks for read access to Flows and read access to relevant collection/items.
References
https://github.com/directus/directus/security/advisories/GHSA-7cvf-pxgp-42fc
https://nvd.nist.gov/vuln/detail/CVE-2025-53889
https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb
https://github.com/directus/directus/releases/tag/v11.9.0
https://github.com/advisories/GHSA-7cvf-pxgp-42fc
CVSS: MEDIUM (6.5)
July 15th, 2025 (about 4 hours ago)
|