Findings
Findings are groups of significant exposures with the same root cause.
You can promote one or more vulnerabilities from a finding into a runZero issue for tracking and remediation, and optionally push the issue to Jira as an external ticket.
finding:rz-finding-best-practiceThe web server is configured to show directory listings when no default web page is present. This can expose sensitive information about the server’s content to attackers.
_asset.protocol:=http AND protocol:=http AND has:html.title AND (html.title:="Index of /%" OR html.title:="HFS /%" OR html.title:="Directory listing%")finding:rz-finding-best-practice-admin-interfacefinding:rz-finding-best-practice-insecure-authenticationThe web service requires authentication but does not support TLS encryption. This configuration can result in exposure of the service credentials.
(_asset.protocol:http AND not _asset.protocol:tls) AND ( html.inputs:"password:" OR last.html.inputs:"password:" OR has:http.head.wwwAuthenticate OR has:last.http.head.wwwAuthenticate )finding:rz-finding-best-practice-obsolete-protocolThe service supports an obsolete version of the SSL protocol. SSLv2 and SSLv3 are considered insecure and should not be used to protect sensitive data.
(_asset.protocol:=tls OR _asset.protocol:=ssl2) AND (protocol:="tls" OR protocol:="ssl2") AND tls.supportedVersionNames:"SSL"The Server Message Block (SMB) service is configured to use version 1. SMB version 1 is insecure because it lacks modern security features such as encryption and signing, making it vulnerable to interception and relay attacks.
_asset.protocol:=smb1 protocol:=smb1finding:rz-finding-best-practice-service-misconfigurationThe Simple Network Management Protocol (SNMP) service is configured to respond to the default “public” and “private” community strings. This configuration can enable an attacker to retrieve sensitive data from the SNMP server.
_asset.protocol:snmp AND protocol:snmp AND has:snmp.defaultCommunitiesThe Network Time Protocol (NTP) service reports a value that differs by more than 30 seconds from the actual time. Accurate timekeeping is essential for various network operations, including logging, authentication, and coordination of distributed systems.
_asset.protocol:ntp and protocol:ntp and has:ntp.skewThe Server Message Block (SMB) service does not enforce message signing. This can enable an attacker with access to the network to manipulate connections and potentially gain access to authenticated sessions.
(_asset.protocol:=smb1 OR _asset.protocol:=smb2 OR _asset.protocol:=smb3) AND (protocol:=smb1 OR protocol:=smb2 OR protocol:=smb3) AND has:smb.signing AND NOT smb.signing:requiredfinding:rz-finding-certificates-expirationThe TLS service uses a certificate that will expire within six weeks. Clients will generally refuse to connect to services with expired certificates, and may indicate to users that the service is unsafe.
_asset.protocol:tls AND tls.notAfterTS:<6weeks AND tls.notAfterTS:>nowThe TLS service uses an expired certificate. Clients will generally refuse to connect to services with expired certificates, and may indicate to users that the service is unsafe.
_asset.protocol:tls AND tls.notAfterTS:<nowfinding:rz-finding-compliance-cisa-bod-26-02The indicated asset is an End-of-Support (EOS) device deployed on the “edge” or exposed to the public Internet.
(os_eol_extended:>0 AND os_eol_extended:<=now) AND has_public:t AND NOT (type:Server OR type:Desktop OR type:Laptop)finding:rz-finding-compliance-ndaa-section-889The device is manufactured by a company listed in Section 889 of the United States National Defense Authorization Act of 2019. This act prohibits the United States federal government, telecommunications companies, and certain other entities from using devices produced by these companies.
((mac_vendor:="zte corporation" OR mac_vendor:huawei OR mac_vendor:CRRC OR mac_vendor:dahua OR mac_vendor:hikvision OR mac_vendor:hisilicon OR mac_vendor:panda OR mac_vendor:dawning OR mac_vendor:hangzhou OR mac_vendor:hytera OR mac_vendor:inspur OR mac_vendor:"Aero Engine Corporation of China" OR mac_vendor:"Aviation Industry Corporation of China" OR mac_vendor:"China Aerospace" OR mac_vendor:"China Electronics" OR mac_vendor:"China General Nuclear Power" OR mac_vendor:"China Mobile" OR mac_vendor:"China National Nuclear Power" OR mac_vendor:"China North Industries Group" OR mac_vendor:"China Railway" OR mac_vendor:"China Shipbuilding" OR mac_vendor:"China South Industries Group" OR mac_vendor:"China State Shipbuilding" OR mac_vendor:"China Telecommunications" OR mac_vendor:ztec OR mac_vendor:ztek OR mac_vendor:"z-tec" OR mac_vendor:5shanghai OR mac_vendor:"Hella Sonnen" OR mac_vendor:anhui OR mac_vendor:"technology sdn bhd" OR mac_vendor:azteq) OR (hw:="ZTE%" OR hw:huawei OR hw:CRRC OR hw:dahua OR hw:hikvision OR hw:hisilicon OR hw:panda OR hw:dawning OR hw:hangzhou OR hw:hytera OR hw:inspur OR hw:"Aero Engine Corporation of China" OR hw:"Aviation Industry Corporation of China" OR hw:"China Aerospace" OR hw:"China Electronics" OR hw:"China General Nuclear Power" OR hw:"China Mobile" OR hw:"China National Nuclear Power" OR hw:"China North Industries Group" OR hw:"China Railway" OR hw:"China Shipbuilding" OR hw:"China South Industries Group" OR hw:"China State Shipbuilding" OR hw:"China Telecommunications" OR hw:ztec OR hw:ztek OR hw:"z-tec" OR hw:5shanghai OR hw:"Hella Sonnen" OR hw:anhui OR hw:"technology sdn bhd" OR hw:azteq))finding:rz-finding-compliance-prohibited-softwareThe asset has Kaspersky Lab security software installed. Kaspersky Lab is a Russian cybersecurity company that has been banned from providing software and services in the United States and to U.S. persons.
edr.name:KasperskyThe asset has Kaspersky Labs software installed. Kaspersky Lab is a Russian cybersecurity company that has been banned from providing software and services in the United States and to U.S. persons.
vendor:=Kasperskyfinding:rz-finding-compliance-secure-networks-act-section-2The device is manufactured by a company listed by the United States Federal Communications Commission as being covered by Section 2 of the United States Secure Networks Act of 2020.
(hw:huawei OR hw:="zte%" OR hw:hytera OR hw:hikvision OR hw:dahua OR hw:"china mobile" OR hw:"china telecom" OR hw:"china unicom" OR hw:"pacific networks corp" OR hw:"comnet (usa) llc" OR hw:zhejiang) OR (mac_vendor:huawei OR mac_vendor:="zte%" OR mac_vendor:hytera OR mac_vendor:hikvision OR mac_vendor:dahua OR mac_vendor:"china mobile" OR mac_vendor:"china telecom" OR mac_vendor:"china unicom" OR mac_vendor:"pacific networks corp" OR mac_vendor:"comnet (usa) llc" OR mac_vendor:"zhejiang")finding:rz-finding-eol-assetSangoma FreePBX versions 2.x, 12.x, 13.x, and 14.x are all end-of-life (EOL). The earliest of these versions have been unsupported since approximately 2016, and versions 13.x and 14.x reached their EOL on November 2, 2022. EOL versions no longer receive any updates, including security patches, leaving all existing vulnerabilities unresolved.
These unsupported versions have not been tested for the authentication bypass, arbitrary database manipulation, and remote code execution (RCE) vulnerability CVE-2025-57819, and may be affected. There is evidence that this vulnerability is being actively exploited in the wild.
((vendor:=FreePBX AND product:=PBX) OR (vendor:=Sangoma AND product:=FreePBX)) AND ((version:>="2.0.0(%)" AND version:<"3.0.0(%)") OR (version:>="12.0.0(%)" AND version:<"15.0.0(%)"))The Accellion File Transfer Appliance (FTA) is no longer supported as of April 30, 2021. No further updates, including security patches, will be made available, and existing vulnerabilities will not be resolved.
hw:"Accellion File Transfer Appliance"The AutomationDirect MB-GATEWAY Modbus gateway is no longer supported and is end-of-life. No further updates, including security patches, will be made available, and existing vulnerabilities will not be resolved.
- The gateway firmware lacks authentication and access controls via the embedded web server, which could lead to configuration changes, operational disruption, or arbitrary code execution depending on the environment and exposed functionality.
hw:="AutomationDirect Modbus Gateway" OR hw:="Automation Direct Modbus Gateway"The Cisco Small Business Router is no longer supported, with end-of-life dates ranging from September 2, 2019 to November 30, 2024, depending on the specific model. No further updates, including security patches, will be made available, and existing vulnerabilities will not be resolved.
- A vulnerability in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320 and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary commands on an affected device. This vulnerability is due to improper validation of user input within incoming HTTP packets. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. A successful exploit could allow the attacker to gain root-level privileges and access unauthorized data. To exploit this vulnerability, an attacker would need to have valid administrative credentials on the affected device. (CVE-2023-20026)
- A vulnerability in the upload module of Cisco RV340 and RV345 Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to insufficient boundary checks when processing specific HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system of the device. (CVE-2024-20416)
- A vulnerability in the web-based management interface of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to elevate privileges on an affected device. This vulnerability exists because the web-based management interface discloses sensitive information. An attacker could exploit this vulnerability by sending crafted HTTP input to an affected device. A successful exploit could allow an attacker to elevate privileges from guest to admin. (CVE-2024-20393)
- A vulnerability in the web-based management interface of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device. In order to exploit this vulnerability, the attacker must have valid admin credentials. This vulnerability exists because the web-based management interface does not sufficiently validate user-supplied input. An attacker could exploit this vulnerability by sending crafted HTTP input to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. (CVE-2024-20470)
- A vulnerability in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, and RV082 Routers could allow an unauthenticated, remote attacker to bypass authentication on an affected device. This vulnerability is due to improper validation of user input within incoming HTTP packets. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. A successful exploit could allow the attacker to bypass authentication and gain root access on the underlying operating system. (CVE-2023-20025)
- A vulnerability in the web-based management interface of Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary commands on an affected device. This vulnerability is due to improper validation of user input within incoming HTTP packets. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. A successful exploit could allow the attacker to gain root-level privileges and access unauthorized data. To exploit this vulnerability, an attacker would need to have valid administrative credentials on the affected device. Cisco has not and will not release software updates that address this vulnerability. However, administrators may disable the affected feature as described in the Workarounds [#workarounds] section. {{value}} [%7b%7bvalue%7d%7d])}]] (CVE-2023-20118)
- A vulnerability in the JSON-RPC API feature in Cisco Crosswork Network Services Orchestrator (NSO) and ConfD that is used by the web-based management interfaces of Cisco Optical Site Manager and Cisco RV340 Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to modify the configuration of an affected application or device. This vulnerability is due to improper authorization checks on the API. An attacker with privileges sufficient to access the affected application or device could exploit this vulnerability by sending malicious requests to the JSON-RPC API. A successful exploit could allow the attacker to make unauthorized modifications to the configuration of the affected application or device, including creating new user accounts or elevating their own privileges on an affected system. (CVE-2024-20381)
- A vulnerability in the web-based management interface of Cisco Small Business RV042, RV042G, RV320, and RV325 Routers could allow an authenticated, Administrator-level, remote attacker to cause an unexpected reload of an affected device, resulting in a denial of service (DoS) condition. To exploit this vulnerability, an attacker would need to have valid Administrator credentials on the affected device. This vulnerability is due to improper validation of user input that is in incoming HTTP packets. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface of the affected device. A successful exploit could allow the attacker to cause an unexpected reload of the device, resulting in a DoS condition. (CVE-2024-20516)
- A vulnerability in the web-based management interface of Cisco Small Business RV042, RV042G, RV320, and RV325 Routers could allow an authenticated, Administrator-level, remote attacker to cause an unexpected reload of an affected device, resulting in a denial of service (DoS) condition. To exploit this vulnerability, an attacker would need to have valid Administrator credentials on the affected device. This vulnerability is due to improper validation of user input that is in incoming HTTP packets. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface of the affected device. A successful exploit could allow the attacker to cause an unexpected reload of the device, resulting in a DoS condition. (CVE-2024-20517)
- A vulnerability in the web-based management interface of Cisco Small Business RV042, RV042G, RV320, and RV325 Routers could allow an authenticated, Administrator-level, remote attacker to execute arbitrary code as the root user. To exploit this vulnerability, an attacker would need to have valid Administrator credentials on the affected device. This vulnerability is due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system as the root user. (CVE-2024-20518)
hw:"Cisco RV0" OR hw:"Cisco RV110W" OR hw:"Cisco RV130" OR hw:"Cisco RV132W" OR hw:"Cisco RV134W" OR hw:"Cisco RV160" OR hw:"Cisco RV215" OR hw:"Cisco RV260" OR hw:"Cisco RV320" OR hw:"Cisco RV325" OR hw:"Cisco RV340" OR hw:"Cisco RV345" The Cisco Small Business Switch is no longer supported, with end-of-life dates ranging from April 4, 2018 to November 30, 2024, depending on the specific model. No further updates, including security patches, will be made available, and existing vulnerabilities will not be resolved.
hw:"Cisco" and type:"switch" and ( hw:"SRW224G4-K9-" OR hw:"SRW2016-K9-" OR hw:"SG500X-" OR hw:"SF300-" OR hw:"SRW208G-K9-" OR hw:"SG300-" OR hw:"SRW2048-K9-" OR hw:"SLM2048PT-" OR hw:"SRW208-K9-" OR hw:"SF302-" OR hw:"SLM2008PT-" OR hw:"SLM224PT-" OR hw:"SF500-" OR hw:"SLM2008T-" OR hw:"SG500-" OR hw:"SG200-" OR hw:"SF200-" OR hw:"SLM224GT-" OR hw:"SLM2016T-")All versions of the D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L network attached storage (NAS) devices are vulnerable to a remote command injection vulnerability.
fp.hw.product:="DNS-320L" OR fp.hw.product:="DNS-325" OR fp.hw.product:="DNS-327L" OR fp.hw.product:="DNS-340L"The Edimax IC-7100 IP camera contains a vulnerability in input processing. A remote, unauthenticated attacker could exploit this vulnerability to execute arbitrary code on the device.
The following devices are affected
- Edimax IC-7100 IP Camera, all versions
hw:"EDIMAX IC-71%Camera"PowerDNS Recursor versions 2.x, 3.x, 4.x, and 5.0 are all end-of-life (EOL).
- Support for the last 4.x release (version 4.9.9) ended on January 10, 2025.
- Support for the last 5.0.x release (version 5.0.12) ended on July 10, 2025.
EOL versions no longer receive any updates, including security patches, leaving all existing vulnerabilities unresolved.
vendor:=PowerDNS AND product:=Recursor AND (version:>0 AND version:>=2 AND version:<5.1)XCP-ng versions 7.4 through 7.6, as well as 8.0, 8.1, and 8.2 LTS, have all reached end-of-life (EOL) status. Because EOL versions no longer receive security patches or functional updates, any existing or future vulnerabilities will remain unresolved.
Support End Dates:
- 8.2 LTS: September 16, 2025
- 8.1: March 31, 2021
- 8.0: November 13, 2020
- 7.6: March 30, 2020
- 7.5: July 25, 2019
- 7.4: October 31, 2018
os:="Xen Project XCP-ng" AND (os_version:>0 AND os_version:<"8.3")Certain Zyxel CPE devices are vulnerable to a remote command execution vulnerability. There is evidence that this vulnerability is being actively exploited in the wild.
hw:"VMG1312-B10A" OR hw:"VMG1312-B10B" OR hw:"VMG1312-B10E" OR hw:"VMG3312-B10A" OR hw:"VMG3313-B10A" OR hw:"VMG3926-B10B" OR hw:"VMG4325-B10A" OR hw:"VMG4380-B10A" OR hw:"VMG8324-B10A" OR hw:"VMG8924-B10A" OR hw:"SBG3300" OR hw:"SBG3500"finding:rz-finding-eol-osThe asset is running an operating system version that has reached its end-of-life and is no longer supported by the vendor. No further updates, including security patches, will be made available, and existing vulnerabilities will not be resolved.
(os_eol_extended:>0 AND os_eol_extended:<now) OR (os_eol_extended:0 AND os_eol:<now)finding:rz-finding-internet-exposed-databaseThe configuration database service is exposed to the public internet.
service_has_public:t AND (_asset.protocols:zookeeper OR _asset.protocols:etcd2 OR _asset.protocols:consul) AND (protocol:zookeeper OR protocol:etcd2 OR protocol:consul)The key-value database service is exposed to the public internet.
service_has_public:t AND (_asset.protocols:memcache OR _asset.protocols:redis) AND (protocol:memcache OR protocol:redis)The NoSQL database service is exposed to the public internet.
service_has_public:t AND (_asset.protocols:mongodb OR _asset.protocols:couchdb OR _asset.protocols:cassandra OR _asset.protocols:elasticsearch OR _asset.protocols:riak OR _asset.protocols:influxdb) AND (protocol:mongodb OR protocol:couchdb OR protocol:cassandra protocol:elasticsearch OR protocol:riak OR protocol:influxdb)The relational database service is exposed to the public internet.
service_has_public:t AND ( _asset.protocol:=mysql OR _asset.protocol:=mysqlx OR _asset.protocol:=postgresql OR _asset.protocol:=mssql OR _asset.protocol:=oracledb) AND (protocol:=mysql OR protocol:=mysql OR protocol:=postgresql OR protocol:=mssql OR protocol:=oracledb)finding:rz-finding-internet-exposed-ioasm-public-internal-assetThe internal asset may be exposed to the public internet. This determination was made by cross-referencing the asset’s MAC address or public key with internet-wide scan data.
source:runzero AND (foreign_id:=rz-query-rz-ioasm-internal-mac OR foreign_id:=rz-query-rz-ioasm-internal-pubkey)The Operational Technology (OT) service may be exposed to the public internet.
has_public:t AND service_has_public:f AND (_asset.protocols:bacnet OR _asset.protocols:modbus OR _asset.protocols:dnp3 OR _asset.protocols:opcua OR _asset.protocols:cip OR _asset.protocols:ethernetip OR _asset.protocols:profinet OR _asset.protocols:prosoft OR _asset.protocols:s7comm OR _asset.protocols:fins OR _asset.protocols:comtrol OR _asset.protocols:atg) AND (protocol:bacnet OR protocol:modbus OR protocol:dnp3 OR protocol:opcua OR protocol:cip OR protocol:ethernetip OR protocol:profinet OR protocol:prosoft OR protocol:s7comm OR protocol:fins OR protocol:comtrol OR protocol:atg)The Remote Desktop service may be exposed to the public internet.
has_public:t AND service_has_public:f AND ( ( _asset.protocol:rdp AND protocol:rdp ) OR ( _asset.protocol:vnc AND protocol:vnc ) OR ( _asset.protocol:teamviewer AND protocol:teamviewer ) OR ( _asset.protocol:spice AND protocol:spice ) )The configuration database service may be exposed to the public internet.
has_public:t AND service_has_public:f AND (_asset.protocols:zookeeper OR _asset.protocols:etcd2 OR _asset.protocols:consul) AND (protocol:zookeeper OR protocol:etcd2 OR protocol:consul)The key-value database service may be exposed to the public internet.
has_public:t AND service_has_public:f AND (_asset.protocols:memcache OR _asset.protocols:redis) AND (protocol:memcache OR protocol:redis)The NoSQL database service may be exposed to the public internet.
has_public:t AND service_has_public:f AND (_asset.protocols:mongodb OR _asset.protocols:couchdb OR _asset.protocols:cassandra OR _asset.protocols:elasticsearch OR _asset.protocols:riak OR _asset.protocols:influxdb) AND (protocol:mongodb OR protocol:couchdb OR protocol:cassandra protocol:elasticsearch OR protocol:riak OR protocol:influxdb)The relational database service may be exposed to the public internet.
has_public:t AND service_has_public:f AND (_asset.protocol:=mysql OR _asset.protocol:=mysqlx OR _asset.protocol:=postgresql OR _asset.protocol:=mssql OR _asset.protocol:=oracledb) AND (protocol:=mysql OR protocol:=mysqlx OR protocol:=postgresql OR protocol:=mssql OR protocol:=oracledb)The Remote Desktop Gateway service may be exposed to the public internet.
has_public:t AND service_has_public:f AND ( (_asset.protocol:dtls OR _asset.protocol:http) AND ((protocol:dtls OR protocol:http) AND has:rdg.transport) )The Secure Shell (SSH) service may be exposed to the internet with password authentication enabled.
has_public:t AND service_has_public:f AND (_asset.protocol:ssh AND protocol:ssh AND ssh.authMethods:password)The Microsoft Windows management service may be exposed to the public internet.
has_public:t AND service_has_public:f AND ( ( _asset.protocol:smb AND protocol:smb ) OR ( _asset.protocol:epm AND protocol:epm ) OR ( _asset.protocol:wsman AND protocol:wsman ) )finding:rz-finding-internet-exposed-otThe Operational Technology (OT) service is exposed to the public internet.
service_has_public:t AND (_asset.protocols:bacnet OR _asset.protocols:modbus OR _asset.protocols:dnp3 OR _asset.protocols:opcua OR _asset.protocols:cip OR _asset.protocols:ethernetip OR _asset.protocols:profinet OR _asset.protocols:prosoft OR _asset.protocols:s7comm OR _asset.protocols:fins OR _asset.protocols:comtrol OR _asset.protocols:atg) AND (protocol:bacnet OR protocol:modbus OR protocol:dnp3 OR protocol:opcua OR protocol:cip OR protocol:ethernetip OR protocol:profinet OR protocol:prosoft OR protocol:s7comm OR protocol:fins OR protocol:comtrol OR protocol:atg)finding:rz-finding-internet-exposed-serviceThe Baseboard Management Controller (BMC) is exposed to the public internet. The BMC can be used to remotely manage the server, and if exposed to the internet, can be a target for attackers.
haspublic:t AND (type:bmc OR protocol:ipmi)The Remote Desktop Gateway service is exposed to the public internet.
service_has_public:t AND ( (_asset.protocol:dtls OR _asset.protocol:http) AND ((protocol:dtls OR protocol:http) AND has:rdg.transport) )The Remote Desktop service is exposed to the public internet.
service_has_public:t AND ( ( _asset.protocol:rdp AND protocol:rdp ) OR ( _asset.protocol:vnc AND protocol:vnc ) OR ( _asset.protocol:teamviewer AND protocol:teamviewer ) OR ( _asset.protocol:spice AND protocol:spice ) )The Secure Shell (SSH) service is exposed to the internet with password authentication enabled.
service_has_public:t AND ( _asset.protocol:ssh AND protocol:ssh AND ssh.authMethods:password )The Microsoft Windows management service is exposed to the public internet.
service_has_public:t AND ( ( _asset.protocol:smb AND protocol:smb ) OR ( _asset.protocol:epm AND protocol:epm ) OR ( _asset.protocol:wsman AND protocol:wsman ) )finding:rz-finding-open-access-default-credentialsfinding:rz-finding-open-access-unauth-admin-serviceThe Cisco Smart Install service allows an unauthenticated attacker to retrieve and modify the running configuration of a network device.
_asset.protocol:ciscosmi protocol:ciscosmiThe Sun Solaris sadmind RPC service allows remote users to execute arbitrary commands as the root user without authentication.
_asset.protocol:=rpcbind protocol:=rpcbind rpcbind.programs:"100232-v10-"The Android Debug Bridge (ADB) service is exposed to the network without authentication. An attacker can use this service to execute arbitrary code on the device and retrieve sensitive information.
_asset.protocol:=adb AND protocol:=adb AND has:adb.access AND adb.access:="allowed"The Distributed Ruby service is exposed to the network without authentication. An attacker can use this service to execute arbitrary code.
_asset.protocol:=drbd AND protocol:=drbdZabbix monitoring agents without access control can allow attackers to discover information about the host on which the agent is running.
_asset.protocol:=zabbix-agent AND protocol:=zabbix-agent AND NOT zabbix.isLocal:trueThe Click Modular Router shell is accessible over the network without authentication. An attacker can use this service to extract sensitive device information. Unpatched Cisco Meraki devices are known to inadvertently expose this service.
_asset.protocol:=click protocol:=clickfinding:rz-finding-open-access-unauth-databaseThe Apache ZooKeeper configuration database is exposed to the network without access control. This exposure allows an unauthenticated attacker to read, modify, and delete configuration records, which often include sensitive authentication tokens.
_asset.protocol:zookeeper AND protocol:zookeeper AND zk.access:allowedThe CNCF etcd configuration database is exposed to the network without access control. This exposure allows an unauthenticated attacker to read, modify, and delete configuration records, which often include sensitive authentication tokens.
_asset.protocol:etcd2 protocol:etcd2 etcd2.access:allowedThe MongoDB NoSQL database is exposed to the network without access control. This exposure allows an unauthenticated attacker to read, modify, and delete database records.
_asset.protocol:=mongodb AND protocol:=mongodb AND mongodb.auth:openThe Apache CouchDB database is exposed to the network without access control. This exposure allows an unauthenticated attacker to read, modify, and delete database records.
_asset.protocol:=couchdb AND protocol:=couchdbThe Apache Cassandra database is exposed to the network without access control. This exposure allows an unauthenticated attacker to read, modify, and delete database records.
_asset.protocol:=cassandra AND protocol:=cassandraThe Elastic Search database is exposed to the network without access control. This exposure allows an unauthenticated attacker to read, modify, and delete database records.
_asset.protocol:elasticsearch AND protocol:elasticsearchThe HashiCorp Consul configuration database is exposed to the network without access control. This exposure allows an unauthenticated attacker to read, modify, and delete configuration records, which often include sensitive authentication tokens.
_asset.protocol:consul protocol:consul has:consul.config.datacenterThe InfluxDB database is exposed to the network without access control. This exposure allows an unauthenticated attacker to read, modify, and delete database records.
_asset.protocol:=influxdb AND protocol:=influxdb AND has:influxdb.databasesThe memcached service is exposed to the network without access control. This exposure allows an unauthenticated attacker to read, modify, and delete database records.
_asset.protocol:memcache AND protocol:memcacheThe Redis key-value database is exposed to the network without access control. This exposure allows an unauthenticated attacker to read, modify, and delete database records.
_asset.protocol:redis AND protocol:redis AND has:redis.redisVersionThe Riak database is exposed to the network without access control. This exposure allows an unauthenticated attacker to read, modify, and delete database records.
(_asset.protocol:riak AND protocol:riak) OR (_asset.protocol:riak-http AND protocol:riak-http)The MongoDB NoSQL database is exposed to the network without access control. This exposure allows an unauthenticated attacker to view information about the instance and issue informational commands. This configuration does not allow access to the stored databases, but still puts the server at risk.
_asset.protocol:mongodb AND protocol:mongodb AND mongodb.auth:limitedfinding:rz-finding-open-access-unauth-filesThe Network File System (NFS) service is configured to allow data access from any source. An attacker can abuse this issue to read and possibly modify the shared files.
_asset.protocol:=mountd AND protocol:="mountd" AND nfs.allowed:"%=*"finding:rz-finding-rapid-response-servicesCheck Point Remote Access and Mobile Access VPN provide users access to corporate networks over IPSec.
Certain versions of the Check Point VPN solutions utilize the deprecated IKE protocol version 1 (IKEv1) that contains a logic flow vulnerability. Remote unauthenticated attackers can utilize this vulnerability to bypass the authentication validation without credentials in order to gain access to secure networks.
There is evidence that this vulnerability is being actively exploited in the wild.
The following versions are affected:
-
Security Gateways
- R82.10 Jumbo Hotfix Take 19 or below
- R82 Jumbo Hotfix Take 103 or below
- R81.20 Jumbo Hotfix Take 141 or below
- R81.10 (End-of-Support (EOS))
- R81 (End-of-Support (EOS))
- R80.40 (End-of-Support (EOS))
-
Spark Firewalls
- R82.00.X
- R81.10.X
- R80.20.X (End-of-Support (EOS))
Note: Exploitation requires that VPN Remote Access or Mobile Access with IKEv1 must be enabled. Gateways must additionally enable legacy Remote Access clients and not require machine certificate authentication.
hw:="Check Point%" AND protocol:ike AND ike.version:="1.0"Ivanti Sentry, formerly MobileIron Sentry, is an inline security gateway appliance that controls, encrypts, and isolates data traffic between remote mobile devices and a company’s internal corporate servers based on device compliance rules set by a central management platform.
Certain versions of Sentry are susceptible to two vulnerabilities. Successful exploitation could allow a remote, unauthenticated attacker to bypass authentication, create administrative accounts, and execute arbitrary commands with root privileges, leading to complete system compromise.
-
CVE-2026-10520: An OS command injection vulnerability allows a remote, unauthenticated attacker to achieve root-level remote code execution (RCE).
-
CVE-2026-10523: An authentication bypass vulnerability allows a remote, unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access.
There is evidence that CVE-2026-10520 is being actively exploited in the wild.
The following versions are affected:
- Ivanti Sentry: Versions 10.5.1, 10.6.1, 10.7.0, and prior.
Note: Older, unsupported product versions have not been tested but are likely also affected.
_asset.protocol:http AND protocol:http AND (last.http.body:"background-image:url(images/sentry-ivanti-logo-178x32.png)" OR last.http.body:"background-image:url(images/sentry-mi-logo-300x40.png)")PeopleSoft is an enterprise resource planning (ERP) platform used for managing large organizations’ business functions.
Certain versions of the PeopleSoft Enterprise PeopleTools solution utilize the Environment Management Hub (EMHub) service that contains a server-side request forgery (SSRF) vulnerability. Remote unauthenticated attackers can utilize this vulnerability to chain outbound requests to achieve remote code execution and gain access to the underlying operating system.
There is evidence that this vulnerability is being actively exploited in the wild.
The following versions are affected:
- 8.61
- 8.62
_asset.protocol:http AND protocol:http AND (http.head.setCookie:"PS_TOKEN=" OR last.html.title:="Oracle PeopleSoft Sign-in" OR html.title:="Oracle PeopleSoft Sign-in")Splunk provides ingestion and indexing of machine-generated data, and is commonly used for logging, tracing, SIEM, and other business processes. The PostgreSQL Sidecar Service is a Splunk provided storage integration that provides a PostgreSQL database and API provider for Splunk Enterprise deployments.
Certain versions of Splunk Enterprise and Splunk Cloud Platform that utilize the PostgreSQL Sidecar Service are vulnerable to an unauthenticated file upload vulnerability chain that can result in remote code execution. An attacker can utilize a logic bug in the PostgreSQL Sidecar Service to trigger internal operations on behalf of the SQL server, including backup and restore functionality. It was found that the backup logic additionally allowed for path traversal, enabling the attacker to control database connections, which when using the APIs logic for restoring could use an attackers hosted SQL database to trigger remote code execution. This will allow an attacker to gain unauthenticated access to the underlying operating system.
There is evidence that this vulnerability is being actively exploited in the wild and the vulnerability has been added to the CISA KEV list June 18th, 2026.
The following versions are affected only if the PostgreSQL Sidecar Service is enabled:
- Splunk Enterprise:
- 10.0.0 through 10.0.6
- 10.2.0 through 10.2.3
Note: The PostgreSQL Sidecar Service must be enabled for exploitation by an attacker, this should be verified directly on deployed instances.
Additionally, Amazon Web Services (AWS) deployed instances are likely vulnerable by default and self-hosted instances must explicitly install and enable the PostgreSQL Sidecar Service.
vendor:="Splunk" AND (product:="Splunk" OR product:="splunkd") AND version:>0 AND ((version:>=10.0.0 AND version:<=10.0.6) OR (version:>=10.2.0 AND version:<=10.2.3))Veeam Backup & Replication is data protection software that supports image-level backup, recovery, and replication for virtual, physical, and cloud machines.
Certain versions of Veeam Backup & Replication contain a vulnerability that allows an authenticated domain user to achieve remote code execution (RCE) on the Backup Server. Additional technical details have not been released at this time.
The following versions are affected:
- Veeam Backup & Replication 12.x: Versions prior to 12.3.2.4854.
Note: Older, unsupported product versions have not been tested, but are likely also affected.
vendor:=Veeam AND (product:="Backup & Replication" OR product:="Veeam Backup & Replication")finding:rz-finding-tls-riskThis query identifies certificates that use insecure public keys, such as those with weak key sizes or outdated algorithms.
public_key_insecure:trueThis query identifies certificates that use insecure signature algorithms which are known to be vulnerable to collision attacks, which could allow an attacker to forge a certificate and impersonate the service. Additionally, many modern browsers will not accept certificates signed with insecure algorithms.
signature_algorithm_insecure:true is_ca:falseThe service supports an obsolete version of the TLS protocol (TLS 1.0). TLS 1.0 is considered insecure and should not be used to protect sensitive data.
_asset.protocol:=tls AND tls.supportedVersionNames:TLSv1.0This query identifies services that support the insecure and deprecated TLS 1.1 protocol, which is vulnerable to various attacks and should be disabled to enhance security.
_asset.protocol:=tls AND tls.supportedVersionNames:TLSv1.1This query identifies services that do not implement HTTP Strict Transport Security (HSTS), which is a security feature that helps protect websites against protocol downgrade attacks and cookie hijacking.
_asset.protocol:=tls AND protocol:=http protocol:=tls NOT has:http.head.strictTransportSecurityfinding:rz-finding-vulnerability-auth-bypassMultiple versions of Atlassian Confluence Data Center and Server are affected by a stored cross-site scripting vulnerability leading to potential authentication bypassing allowing an attacker to monitor a user’s activity and/or trigger downloads.
vendor:=Atlassian AND product:Confluence AND ( (version:>0 AND version:<7.19.25) OR (version:>=7.20.0 AND version:<8.5.11) OR (version:>=8.6.0 AND version:<8.9.3)) Multiple versions of Atlassian Confluence Data Center and Server are affected by a server-side request forgery vulnerability.
- The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) allows remote attackers to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance via Server-Side Request Forgery.
vendor:=Atlassian AND product:Confluence AND ( (version:>0 AND version:<6.6.7) OR (version:>=6.7.0 AND version:<6.8.5) OR (version:>=6.9.0 AND version:<6.9.3))The HP Integrated Lights Out (iLO 4) module is running a firmware version prior to 2.53. This version is vulnerable to an authentication bypass. Successfully exploiting this vulnerability would allow an attacker to compromise both the iLO and host system.
os:"iLO 4" and os_version:>0 AND os_version:<2.53The Intelligent Platform Management Interface (IPMI) commonly exposes a legacy session protocol that predates RAKP and Redfish. Some BMCs still accept IPMI 1.5 session activation without a password when the “none” authentication type is enabled.
This configuration allows an attacker with network access to activate an administrative IPMI session without valid credentials. An attacker that can compromise a BMC can reflash malicious firmware, dump configured secrets, and attack the managed host through functions such as virtual media and KVM redirection.
_asset.protocols:ipmi AND ipmi.passAuth:noneThe Intelligent Platform Management Interface (IPMI) is a commonly-implemented protocol used by Baseboard Management Controllers (BMCs) for out-of-band management of computer systems. BMCs that implement IPMI include SuperMicro (IPMI), Lenovo (XCC), Dell (DRAC), HP (iLO), and many others. The IPMI protocol includes multiple cipher suites for authentication, including one called “Cipher Zero” that is effectively unauthenticated access.
This Cipher Zero vulnerability (CVE-2013-4782) allows an attacker to bypass authentication and gain unauthorized access to the BMC. An attacker that can compromise a BMC can reflash malicious firmware, dump clear-text passwords of configured users, and attack the host system through various means, including the use of Keyboard Video Mouse (KVM) redirection.
_asset.protocols:ipmi AND has:ipmi.cipherZeroThe Intelligent Platform Management Interface (IPMI) is a commonly-implemented protocol suite used by Baseboard Management Controllers (BMCs) for out-of-band management of computer systems. BMCs that implement IPMI include SuperMicro (IPMI), Lenovo (XCC), Dell (DRAC), HP (iLO), and many others. The IPMI protocol suite includes a sub-protocol called the Remote Authenticated Key-Exchange Protocol (RAKP). RAKP supports HMAC-based authentication, but does so in a way where the BMC will send the expected HMAC hash to the user, prior to authentication.
This pre-authentication exposure enables an attacker to obtain the HMAC hash of the target user accounts, which can be cracked offline to obtain the clear-text password. The attacker needs to know a valid username, but this is often trivial to guess because most BMCs have one or more default accounts with well-known usernames (e.g. “admin”). An attacker that is able to obtain and crack the HMAC hash can use this to access the BMC as an administrative user, which in turn allows them to reflash malicious firmware, dump clear-text passwords of configured users, and attack the host system through various means, including the use of Keyboard Video Mouse (KVM) redirection.
The affected systems have RAKP enabled and have at least one user account with a default or weak password.
_asset.protocols:ipmi AND has:ipmi.rakp.crackedThe Microsoft OMI agent service is vulnerable to an authentication bypass referred to as “OMIGOD”. This issue affects versions of the OMI agent prior to 1.13.40-0. Successfully exploiting this vulnerability would allow an attacker to view system state and execute arbitrary commands with root-level privileges.
_asset.protocol:wsman AND wsman.productVendor:="Open Management Infrastructure" AND (wsman.productVersion:=0.% or wsman.productVersion:=1.0.% or wsman.productVersion:=1.1.% or wsman.productVersion:1.2.% or wsman.productVersion:=1.3.% or wsman.productVersion:=1.4.% or wsman.productVersion:=1.5.% or wsman.productVersion:=1.6.0-% or wsman.productVersion:=1.6.1-% or wsman.productVersion:=1.6.2-% or wsman.productVersion:=1.6.3-% or wsman.productVersion:=1.6.4-% or wsman.productVersion:=1.6.5-% or wsman.productVersion:=1.6.6-% or wsman.productVersion:=1.6.7-% or wsman.productVersion:=1.6.8-0)Certain versions of Palo Alto Networks PAN-OS are vulnerable to an authentication bypass.
The following versions are affected:
-
PAN-OS 11.2 up to 11.2.4-h4
-
PAN-OS 11.1 up to 11.1.2-h18
-
PAN-OS 10.2 up to 10.2.7-h24
-
PAN-OS 10.1 up to 10.1.14-h9
-
An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts. While invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS. You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431. This issue does not affect Cloud NGFW or Prisma Access software. (CVE-2025-0108)
os:="Palo Alto Networks PAN-OS" AND (osversion:>"11.1.6-h1" AND osversion:<11.2.4-h4) AND (osversion:>"10.2.13-h3" AND osversion:<11.1.6-h1) AND (osversion:>"10.1.14-h9" AND osversion:<"10.2.13-h3") AND (osversion:>"10.1.0" AND osversion:<"10.1.14-h9")Multiple versions of SonicWall’s SonicOS are vulnerable to an authentication bypass.
- An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication. (CVE-2024-53704)
- Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in the SonicOS SSLVPN authentication token generator that, in certain cases, can be predicted by an attacker potentially resulting in authentication bypass. (CVE-2024-40762)
- A Server-Side Request Forgery vulnerability in the SonicOS SSH management interface allows a remote attacker to establish a TCP connection to an IP address on any port when the user is logged in to the firewall. (CVE-2024-53705)
- A vulnerability in the Gen7 SonicOS Cloud platform NSv, allows a remote authenticated local
low-privileged attacker to elevate privileges to
rootand potentially lead to code execution. (CVE-2024-53706)
os:SonicOS AND ( (osversion:>"6.0" AND osversion:<"6.5.5.1-6n") OR (osversion:>"7.0" AND osversion:<"7.0.1-5165") OR (osversion:>"7.1" AND osversion:<"7.1.3-7015") OR (hw:TZ80 AND osversion:>"8.0" AND osversion:<"8.0.0-8037"))An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash. This issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.
The following versions are affected:
- SOHO Gen5 versions prior to 5.9.2.14-13o
- SM9800, NSsp 12400, and NSsp 12800 versions prior to 6.5.2.8-2n
- Gen6 Firewall versions prior to 6.5.4.15.116n
- Gen7 Firewall versions prior to 7.0.1-5035
hw:="SonicWall%" AND ((os_version:>0 AND os_version:<"5.9.2.14-13o") OR (os_version:>"6.0" AND os_version:<"6.5.4.15.116n") OR (os_version:>"7.0" AND os_version:<"7.0.1-5035") OR (os_version:>"6.0" AND os_version:<"6.5.2.8-2n" AND (hw:"SM9800" OR hw:"NSsp 12400" OR hw:"NSsp 12800")))Multiple Fortinet products contain an authentication bypass vulnerability when used in a Single Sign-On (SSO) configuration with FortiCloud.
Successful exploitation of this vulnerability would allow an attacker to bypass authentication checks on the vulnerable systems, potentially allowing for complete system compromise.
Note that there is evidence that this vulnerability is being exploited in the wild.
The following versions are affected
- FortiOS 7.6 versions 7.6.0 through 7.6.3
- FortiOS 7.4 versions 7.4.0 through 7.4.8
- FortiOS 7.2 versions 7.2.0 through 7.2.11
- FortiOS 7.0 versions 7.0.0 through 7.0.17
- FortiProxy 7.6 versions 7.6.0 through 7.6.3
- FortiProxy 7.4 versions 7.4.0 through 7.4.10
- FortiProxy 7.2 versions 7.2.0 through 7.2.14
- FortiProxy 7.0 versions 7.0.0 through 7.0.21
- FortiSwitchManager 7.2 versions 7.2.0 through 7.2.6
- FortiSwitchManager 7.0 versions 7.0.0 through 7.0.5
- FortiWeb 8.0 version 8.0.0
- FortiWeb 7.6 versions 7.6.0 through 7.6.4
- FortiWeb 7.4 versions 7.4.0 through 7.4.9
This vulnerability is rated Critical because:
- This vulnerability would allow a remote attacker to bypass authentication on a vulnerable system, potentially leading to complete system compromise.
os:="Fortinet FortiOS" AND os_version:>0 AND ((os_version:>="7.6.0" AND os_version:<="7.6.3") OR (os_version:>="7.4.0" AND os_version:<="7.4.8") OR (os_version:>="7.2.0" AND os_version:<="7.2.11") OR (os_version:>="7.0.0" AND os_version:<="7.0.17"))PAN-OS is the proprietary operating system that powers all Palo Alto Networks Next-Generation Firewalls (NGFW) across physical, virtual, and cloud environments. It uses a Single-Pass Parallel Processing (SP3) architecture to provide deep visibility and control over network traffic by identifying applications, users, and content simultaneously.
Certain versions of Palo Alto Networks PAN-OS are affected by an authentication bypass vulnerability in the GlobalProtect portal and gateway. Successful exploitation allows a remote, unauthenticated attacker to bypass security restrictions, establish an unauthorized VPN connection, and gain access to restricted networks.
There is evidence that this vulnerability is being actively exploited in the wild.
The following versions are affected:
- PAN-OS 12.1: Versions 12.1.5 through 12.1.6, and 12.1.2 through 12.1.4-h*.
- PAN-OS 11.2: Versions 11.2.11 or later, 11.2.8 through 11.2.10-h*, 11.2.5 through 11.2.7-h*, and 11.2.0 through 11.2.4-h*.
- PAN-OS 11.1: Versions 11.1.14 or later, 11.1.11 through 11.1.13-h*, 11.1.8 through 11.1.10-h*, 11.1.7 through 11.1.7-h*, 11.1.5 through 11.1.6-h*, and 11.1.0 through 11.1.4-h*.
- PAN-OS 10.2: Versions 10.2.17 through 10.2.18-h*, 10.2.14 through 10.2.16-h*, 10.2.11 through 10.2.13-h*, 10.2.8 through 10.2.10-h*, and 10.2.0 through 10.2.7-h*.
Note: It is possible that older, unsupported PAN-OS versions are also vulnerable, but this has not been confirmed.
Severity & Risk Assessment
- Severity: High – Successful exploitation allows an attacker to establish an unauthorized VPN connection and gain access to protected networks.
- Risk: High – This vulnerability can be exploited by a remote, unauthenticated attacker, meaning the barrier to entry for an attacker is low. This significantly increases the likelihood of widespread exploitation.
hw:="Palo Alto Networks" AND os:="Palo Alto Networks PAN-OS%" AND os_version:>0 AND ((os_version:>="12.1.5" AND os_version:<"12.1.7") OR (os_version:>="12.1.2" AND os_version:<"12.1.4-h6") OR (os_version:>="11.2.11" AND os_version:<"11.2.12") OR (os_version:>="11.2.8" AND os_version:<"11.2.10-h7") OR (os_version:>="11.2.5" AND os_version:<"11.2.7-h14") OR (os_version:>="11.2.0" AND os_version:<"11.2.4-h17") OR (os_version:>="11.1.14" AND os_version:<"11.1.15") OR (os_version:>="11.1.11" AND os_version:<"11.1.13-h5") OR (os_version:>="11.1.8" AND os_version:<"11.1.10-h25") OR (os_version:>="11.1.7" AND os_version:<"11.1.7-h6") OR (os_version:>="11.1.5" AND os_version:<"11.1.6-h32") OR (os_version:>="11.1.0" AND os_version:<"11.1.4-h33") OR (os_version:>="10.2.17" AND os_version:<"10.2.18-h6") OR (os_version:>="10.2.14" AND os_version:<"10.2.16-h7") OR (os_version:>="10.2.11" AND os_version:<"10.2.13-h21") OR (os_version:>="10.2.8" AND os_version:<"10.2.10-h36") OR (os_version:>="10.2.0" AND os_version:<"10.2.7-h34"))PowerDNS Recursor is an open-source DNS resolving server that answers client queries by recursively querying authoritative nameservers and caching the results, distinguishing itself with a powerful, built-in Lua scripting engine that allows for advanced, fine-grained control over the resolving behavior.
Certain versions of PowerDNS Recursor are affected by multiple vulnerabilities stemming from Recursor not applying strict enough validation of received delegation information. This allows a remote, unauthenticated adversary to poison cached delegations in the following ways:
- By sending spoofed packets containing malicious delegation information (CVE-2025-59023).
- By sending spoofed packets performing a UDP fragmentation attack (CVE-2025-59024).
The following versions are affected
- PowerDNS Recursor versions 5.1.x prior to 5.1.8
- PowerDNS Recursor versions 5.2.x prior to 5.2.6
- PowerDNS Recursor versions 5.3.x prior to 5.3.1
vendor:=PowerDNS AND product:=Recursor AND (version:>0 AND ( (version:>=5.1 AND version:<5.1.8) OR (version:>=5.2 AND version:<5.2.6) OR (version:>=5.3 AND version:<5.3.1)))SonicWall SonicOS is the proprietary operating system that manages the networking, routing, and deep packet inspection security functions for SonicWall physical and virtual firewall appliances.
Certain versions of SonicOS across Gen 6, Gen 7, and Gen 8 firewall platforms are susceptible to the following vulnerabilities:
-
CVE-2026-0204: A flaw in the access control mechanism may expose management interface functions under specific conditions. An unauthenticated attacker with adjacent network access could gain unauthorized access to management functionality, potentially leading to security control bypasses or administrative misuse.
-
CVE-2026-0205: A post-authentication path traversal vulnerability allows an authenticated attacker with adjacent network access to interact with restricted services.
-
CVE-2026-0206: A post-authentication stack-based buffer overflow allows a remote, high-privileged attacker to cause a denial-of-service (DoS) by crashing the firewall.
While unconfirmed, the initial authentication bypass (CVE-2026-0204) may provide an unauthenticated attacker with the privileges necessary to chain and exploit the subsequent path traversal and buffer overflow vulnerabilities.
The following versions are affected:
- Gen 6 Series (TZ 300/400/500/600, NSA 2650–6650, SOHO 250, SM 9200–9650): SonicOS version 6.5.5.1-6n and prior.
- Gen 7 Series (TZ 270–670, NSa 2700–6700, NSsp 10700–15700, NSv 270-870): SonicOS 7.0.1-5169 and prior, and 7.3.1-7013 and prior.
- Gen 8 Series (TZ 80–680, NSa 2800–5800): SonicOS version 8.1.0-8017 and prior.
Severity & Risk Assessment
- Severity: High – Successful exploitation would allow an attacker unauthorized access to the management functionality of the vulnerable system.
- Risk: High – The primary vulnerability (CVE-2026-0204) can be exploited without authentication, significantly increasing the likelihood of an attack.
hw:="SonicWall%" AND os:="SonicWall SonicOS%" AND os_version:>0 AND ((os_version:<"6.5.5.2-28n") OR (os_version:>="7.0" AND os_version:<"7.3.2-7010") OR (os_version:>="8.0" AND os_version:<"8.2.0-8009"))A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity.
Using a specific request to webauth_operation.php that doesn’t require authentication,
an attacker can upload and download arbitrary files through J-Web, leading to a loss of
integrity or confidentiality, which may allow chaining to other vulnerabilities.
This issue affects Juniper Networks Junos OS on SRX Series:
- All versions prior to 20.4R3-S8
- 21.1 versions 21.1R1 and later
- 21.2 versions prior to 21.2R3-S6
- 21.3 versions prior to 21.3R3-S5
- 21.4 versions prior to 21.4R3-S4
- 22.1 versions prior to 22.1R3-S3
- 22.2 versions prior to 22.2R3-S1
- 22.3 versions prior to 22.3R2-S2, 22.3R3
- 22.4 versions prior to 22.4R2-S1, 22.4R3.
hw:="Juniper EX%" AND os:="Juniper Junos OS" AND ((os_version:>"0" AND os_version:<"20.4R3-S8") OR (os_version:>="21.1" AND os_version:<"21.2R3-S6") OR (os_version:>="21.3" AND os_version:<"21.3R3-S5") OR (os_version:>="21.4" AND os_version:<"21.4R3-S4") OR (os_version:>="22.1" AND os_version:<"22.1R3-S3") OR (os_version:>="22.2" AND os_version:<"22.2R3-S1") OR (os_version:>="22.3" AND os_version:<"22.3R2-S2") OR (os_version:>="22.4" AND os_version:<"22.4R2-S1"))A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity.
With a specific request to user.php that doesn’t require authentication, an attacker is able to
upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file
system, which may allow chaining to other vulnerabilities.
This issue affects Juniper Networks Junos OS on SRX Series:
- All versions prior to 20.4R3-S8
- 21.1 versions 21.1R1 and later
- 21.2 versions prior to 21.2R3-S6
- 21.3 versions prior to 21.3R3-S5
- 21.4 versions prior to 21.4R3-S5
- 22.1 versions prior to 22.1R3-S3
- 22.2 versions prior to 22.2R3-S2
- 22.3 versions prior to 22.3R2-S2, 22.3R3
- 22.4 versions prior to 22.4R2-S1, 22.4R3
hw:="Juniper SRX%" AND os:="Juniper Junos OS" AND ((os_version:>"0" AND os_version:<"20.4R3-S8") OR (os_version:>="21.1R1" AND os_version:<"21.2R3-S6") OR (os_version:>="21.3" AND os_version:<"21.3R3-S5") OR (os_version:>="21.4" AND os_version:<"21.4R3-S5") OR (os_version:>="22.1" AND os_version:<"22.1R3-S3") OR (os_version:>="22.2" AND os_version:<"22.2R3-S2") OR (os_version:>="22.3" AND os_version:<"22.3R2-S2") OR (os_version:>="22.4" AND os_version:<"22.4R2-S1"))A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity.
Using a specific request to webauth_operation.php that doesn’t require authentication,
an attacker can upload and download arbitrary files through J-Web, leading to a loss of
integrity or confidentiality, which may allow chaining to other vulnerabilities.
This issue affects Juniper Networks Junos OS on SRX Series:
- 21.2 versions prior to 21.2R3-S8
- 21.4 versions prior to 21.4R3-S6
- 22.1 versions prior to 22.1R3-S5
- 22.2 versions prior to 22.2R3-S3
- 22.3 versions prior to 22.3R3-S2
- 22.4 versions prior to 22.4R2-S2, 22.4R3
- 23.2 versions prior to 23.2R1-S2, 23.2R2
hw:="Juniper SRX%" AND os:="Juniper Junos OS" AND ((os_version:>="21.2" AND os_version:<"21.2R3-S8") OR (os_version:>="21.4" AND os_version:<"21.4R3-S6") OR (os_version:>="22.1" AND os_version:<"22.1R3-S5") OR (os_version:>="22.2" AND os_version:<"22.2R3-S3") OR (os_version:>="22.3" AND os_version:<"22.3R3-S2") OR (os_version:>="22.4" AND os_version:<"22.4R2-S2") OR (os_version:>="23.2" AND os_version:<"23.2R1-S2"))Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. Successfully exploitation could allow an attacker to view sensitive information and make some changes to disclosed information. This vulnerability could be chained with CVE-2025-49704. CVE-2025-53771 is a patch bypass for CVE-2025-49706, and the updates for CVE-2025-53771 include more robust protection than those for CVE-2025-49706.
This vulnerability is known to be exploited in the wild, as determined by its presence on the CISA.gov Known Exploited Vulnerabilities (KEV) list.
The following versions are affected:
- versions 16.0.4366.1000 through 16.0.5508.1000
- versions 16.0.10338.12107 through 16.0.10417.20059
- versions 16.0.14326.20620 through 16.0.18526.20424
vendor:=Microsoft AND product:="SharePoint Server%" AND ((version:>=16.0.4366.1000 AND version:<16.0.5508.1000) OR (version:>=16.0.10338.12107 AND version:<16.0.10417.20059) OR (version:>=16.0.14326.20620 AND version:<16.0.18526.20424))finding:rz-finding-vulnerability-dosApache Tomcat versions 10.1.0-M1 through 10.1.42 are affected by multiple vulnerabilities:
-
For some unlikely configurations of multipart upload, an Integer Overflow vulnerability could lead to a DoS via bypassing of size limits. (CVE-2025-52520)
-
An uncontrolled resource consumption vulnerability if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams could result in a DoS. (CVE-2025-53506)
product:Tomcat AND (version:>10.1.0-M1 AND version:<10.1.43)Apache Tomcat versions 10.1.0-M1 through 10.1.43 are affected by the HTTP/2 MadeYouReset attack.
- Tomcat’s HTTP/2 implementation was vulnerable to the MadeYouReset attack. The denial of service typically manifested as an OutOfMemoryError. (CVE-2025-48989)
product:Tomcat AND (version:>10.1.0-M1 AND version:<10.1.44)Apache Tomcat versions 11.0.0-M1 through 11.0.9 are affected by the HTTP/2 MadeYouReset attack.
- Tomcat’s HTTP/2 implementation was vulnerable to the MadeYouReset attack. The denial of service typically manifested as an OutOfMemoryError. (CVE-2025-48989)
product:Tomcat AND (version:>11.0.0-M1 AND version:<11.0.10)Apache Tomcat versions 11.0.0-M1 through 11.0.8 are affected by multiple vulnerabilities:
-
For some unlikely configurations of multipart upload, an Integer Overflow vulnerability could lead to a DoS via bypassing of size limits. (CVE-2025-52520)
-
An uncontrolled resource consumption vulnerability if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams could result in a DoS. (CVE-2025-53506)
product:Tomcat AND (version:>11.0.0-M1 AND version:<11.0.9)Apache Tomcat versions 9.0.0-M1 through 9.0.106 are affected by multiple vulnerabilities:
-
A race condition on connection close could trigger a JVM crash when using the APR/Native connector leading to a DoS. This was particularly noticeable with client initiated closes of HTTP/2 connections. (CVE-2025-52434)
-
For some unlikely configurations of multipart upload, an Integer Overflow vulnerability could lead to a DoS via bypassing of size limits. (CVE-2025-52520)
-
An uncontrolled resource consumption vulnerability if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams could result in a DoS. (CVE-2025-53506)
product:Tomcat AND (version:>9.0.0-M1 AND version:<9.0.107)Apache Tomcat versions 9.0.0-M1 through 9.0.107 are affected by the HTTP/2 MadeYouReset attack.
- Tomcat’s HTTP/2 implementation was vulnerable to the MadeYouReset attack. The denial of service typically manifested as an OutOfMemoryError. (CVE-2025-48989)
product:Tomcat AND (version:>9.0.0-M1 AND version:<9.0.108)Eclipse Jetty prior to 12.0.25 are affected by the HTTP/2 MadeYouReset attack.
(vendor:=Eclipse OR vendor:="Mort Bay") AND product:Jetty AND (version:>12 AND version:<12.0.25)The OpenSSH Secure Shell (SSH) service is vulnerable to a double-free flaw that can be exploited in its default configuration. This issue only affects OpenSSH Secure Shell version 9.1p1. An attacker successfully exploiting this vulnerability could cause a denial-of-service condition. It has been theorized that remote code execution is possible, but this has not been confirmed.
_asset.protocol:=ssh AND protocol:=ssh AND (_service.product:="OpenBSD:OpenSSH:9.1" OR _service.product:="OpenBSD:OpenSSH:9.1p1")finding:rz-finding-vulnerability-info-disclosureApache versions 2.4.49 through 2.4.51 are affected by a path traversal vulnerability that could lead to disclosure of arbitrary files on the remote filesystem.
- It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration require.
_asset.protocol:=http product:HTTPD AND version:>=2.4.49 AND version:<2.4.51Multiple Atlassian Confluence Data Center and Server versions are affected by a path traversal vulnerability that potentially leads to information disclosure.
- The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
vendor:=Atlassian AND product:Confluence AND NOT type:=Mobile AND ( (version:>0 AND version:<6.6.12) OR (version:>=6.7.0 AND version:<6.12.3) OR (version:>=6.13.0 AND version:<6.13.3) OR (version:>=6.14.0 AND version:<6.14.2))A directory traversal vulnerability in the web management interface of multiple Zyxel firewalls that could allow an attacker to download or upload files through a crafted URL.
The following versions are affected:
- ATP series firmware versions V5.00 through V5.38
- USG FLEX series firmware versions V5.00 through V5.38
- USG FLEX 50(W) series firmware versions V5.10 through V5.38
- USG20(W)-VPN series firmware versions V5.10 through V5.38
(os:="Zyxel ATP%" AND (os_version:>="5.00" AND os_version:<"5.39")) OR (os:="Zyxel USG20W-VPN" AND (os_version:>="5.10" AND os_version:<"5.39")) OR (os:="Zyxel USG Flex 50W" AND (os_version:>="5.10" AND os_version:<"5.39")) OR (os:="Zyxel USG Flex%" AND (os_version:>="5.00" AND os_version:<"5.39"))CrowdStrike Falcon LogScale (formerly Humio) is a log management and observability platform that ingests, stores, and enables real-time search of large-volume streaming data using an index-free architecture.
Certain versions of self-hosted LogScale are susceptible to an unauthenticated path traversal vulnerability. A remote, unauthenticated attacker could exploit a specific, exposed cluster API endpoint to read arbitrary files from the server filesystem. This vulnerability does not affect Next-Gen SIEM customers.
The following versions are affected:
- LogScale Self-Hosted (GA): Versions 1.224.0 through 1.234.0 (inclusive)
- LogScale Self-Hosted (LTS): Version 1.228.0 and 1.228.1
Severity & Risk Assessment
- Severity: High – Successful exploitation could allow an attacker to potentially read arbitrary files on the vulnerable system.
- Risk: High – This vulnerability can be exploited by a unprivileged remote attacker, meaning the barrier to entry for an attacker is low. This significantly increases the likelihood of widespread exploitation.
vendor:="CrowdStrike" AND product:="LogScale" AND version:>0 AND ((version:>=1.224.0 AND version:<=1.234.0) AND NOT ((version:>=1.228.2 AND version:<1.229.0) OR (version:>=1.233.1 AND version:<1.234.0)))The Intelligent Platform Management Interface (IPMI) is a commonly-implemented protocol suite used by Baseboard Management Controllers (BMCs) for out-of-band management of computer systems. BMCs that implement IPMI include SuperMicro (IPMI), Lenovo (XCC), Dell (DRAC), HP (iLO), and many others. The IPMI protocol suite includes a sub-protocol called the Remote Authenticated Key-Exchange Protocol (RAKP). RAKP supports HMAC-based authentication, but does so in a way where the BMC will send the expected HMAC hash to the user, prior to authentication.
This pre-authentication exposure enables an attacker to obtain the HMAC hash of the target user accounts, which can be cracked offline to obtain the clear-text password. The attacker needs to know a valid username, but this is often trivial to guess because most BMCs have one or more default accounts with well-known usernames (e.g. “admin”). An attacker that is able to obtain and crack the HMAC hash can use this to access the BMC as an administrative user, which in turn allows them to reflash malicious firmware, dump clear-text passwords of configured users, and attack the host system through various means, including the use of Keyboard Video Mouse (KVM) redirection.
_asset.protocols:ipmi AND has:ipmi.rakp.hashesA vulnerability in the health check RPM of Cisco IOS XR Software could allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container. This vulnerability exists because the health check RPM opens TCP port 6379 by default upon activation. An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database. Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system.
((hw:="Cisco NCS%" OR hw:="Cisco 8201" OR hw:="Cisco 8202" OR hw:="Cisco 8208" OR hw:="Cisco 8212" OR hw:="Cisco 8218") AND tcp_port:=6379)MongoDB is a non-relational, document-oriented database that stores data in flexible, BSON-formatted structures rather than fixed tabular rows and columns, allowing for dynamic schemas and horizontal scaling across distributed systems.
Certain versions of MongoDB are affected by a pre-authentication memory leak vulnerability. This flaw results from mismatched length fields in Zlib-compressed protocol headers, which may allow a remote, unauthenticated adversary to read uninitialized heap memory. This exposure of sensitive data can lead to unauthorized information disclosure.
There is evidence that this vulnerability is being actively exploited in the wild.
The following versions are affected
- MongoDB Server 3.6.x all versions
- MongoDB Server 4.0.x all versions
- MongoDB Server 4.2.x all versions
- MongoDB Server 4.4.x versions prior to 4.4.30
- MongoDB Server 5.0.x versions prior to 5.0.32
- MongoDB Server 6.0.x versions prior to 6.0.27
- MongoDB Server 7.0.x versions prior to 7.0.28
- MongoDB Server 8.0.x versions prior to 8.0.17
- MongoDB Server 8.2.x versions prior to 8.2.3
(vendor:=MongoDB AND (product:=MongoDB OR product:="MongoDB MongoDB")) AND (version:>0 AND ( (version:>=3.6.0 AND version:<3.7) OR (version:>=4.0.0 AND version:<4.1) OR (version:>=4.2.0 AND version:<4.3) OR (version:>=4.4.0 AND version:<4.4.30) OR (version:>=5.0.0 AND version:<5.0.32) OR (version:>=6.0.0 AND version:<6.0.27) OR (version:>=7.0.0 AND version:<7.0.28) OR (version:>=8.0.0 AND version:<8.0.17) OR (version:>=8.2.0 AND version:<8.2.3)))Squid caching proxy is a versatile open-source proxy server that enhances web performance by caching and reusing frequently requested web pages and filtering traffic to enforce access policies.
Certain versions of the Squid caching proxy are vulnerable to an information disclosure via generated error messages
returned to clients. The flaw results from a failure to redact sensitive information such as HTTP authentication
credentials from error message %R and %W code expansions. This could be exploited through a script to bypass
browser security protections and discover the credentials a trusted client uses to authenticate. Successful
exploitation may allow a remote, unauthenticated adversary to identify security credentials or tokens used internally
by web applications using Squid for backend load balancing. Such an attack does not require Squid to be configured
with HTTP authentication.
The vulnerability depends on the email_err_data
configuration value. All Squid versions up to and including 7.1 configured without email_err_data or with
email_err_data on are vulnerable, since email_err_data defaults to on. All Squid versions configured with
email_err_data off are not vulnerable.
The patch code changes appear to indicate a possibility that sensitive information could be leaked via HTTP TRACE
responses as well, but this has not been verified.
The following versions are affected
- Squid 3.x versions up to and including 3.5.28
- Squid 4.x versions up to and including 4.17
- Squid 5.x versions up to and including 5.9
- Squid 6.x versions up to and including 6.14
- Squid 7.x versions up to and including 7.1
vendor:="Squid Cache" AND product:=Squid AND (version:>0 AND version:<7.2)finding:rz-finding-vulnerability-kevfinding:rz-finding-vulnerability-privilege-escalationCertain versions of Adobe Commerce and Magento Open Source are affected by an improper input validation vulnerability in the Commerce REST API. Successful exploitation could allow a remote, unauthenticated adversary to take over another user’s session.
Adobe’s advisory describes the impact as a “security feature bypass” that could allow an adversary to take over users' accounts but does not mention additional risks such as remote code execution (RCE). However, the vulnerability researcher, Blaklis, posted that the security update patches “a pre-auth RCE and a customer ATO [account takeover].” Any RCE aspect of this vulnerability remains unconfirmed.
The following versions are affected
- Adobe Commerce versions prior to and including 2.4.4-p15
- Adobe Commerce versions prior to and including 2.4.5-p14
- Adobe Commerce versions prior to and including 2.4.6-p12
- Adobe Commerce versions prior to and including 2.4.7-p7
- Adobe Commerce versions prior to and including 2.4.8-p2
- Adobe Commerce versions prior to and including 2.4.9-alpha2
- Adobe Commerce B2B versions prior to and including 1.3.3-p15
- Adobe Commerce B2B versions prior to and including 1.3.4-p14
- Adobe Commerce B2B versions prior to and including 1.4.2-p7
- Adobe Commerce B2B versions prior to and including 1.5.2-p2
- Adobe Commerce B2B versions prior to and including 1.5.3-alpha2
- Magento Open Source versions prior to and including 2.4.5-p14
- Magento Open Source versions prior to and including 2.4.6-p12
- Magento Open Source versions prior to and including 2.4.7-p7
- Magento Open Source versions prior to and including 2.4.8-p2
- Magento Open Source versions prior to and including 2.4.9-alpha2
vendor:=Adobe AND product:=Magento AND (version:>0 AND version:<="2.4.9-alpha2")Atlassian Confluence Data Center and Server versions 8.0 through 8.3.3, 8.4.0 through 8.4.3, and 8.5.0 through 8.5.2 are affected by a privilege escalation vulnerability.
- Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
vendor:=Atlassian AND product:Confluence AND ( (version:>=8.0 AND version:<8.3.3) OR (version:>=8.4.0 AND version:<8.4.3) OR (version:>=8.5.0 AND version:<8.5.2))Broadcom VMware ESXi, Workstation, and Fusion contain multiple vulnerabilities that, when combined, allow a malicous actor in a guest VM to execute code on a vulnerable host.
os:"vmware esxi" AND ((os_version:>0 AND os_version:<6) OR (os_version:>6 AND os_version:<"6.7.0 build-24514018") OR (os_version:>7 AND os_version:<"7.0.3 build-24585291") OR (os_version:>8 AND os_version:<"8.0.2") OR (os_version:>"8.0.2" AND os_version:<"8.0.2 build-24585300") OR (os_version:>"8.0.3" AND os_version:<"8.0.3 build-24585383"))Multiple vulnerabilities exist within the web-based management interface of Cisco Small Business RV Series Routers that could allow a remote attacker to execute arbitrary commands as root.
The following versions are affected:
- RV160 and RV260 Series Routers versions 1.0.01.05 and earlier
- RV340 and RV345 Series Routers versions 1.0.03.24 and earlier
((hw:="Cisco RV160%" OR hw:="Cisco RV260%") AND (os_version:>0 AND os_version:<="1.0.01.05")) OR ((hw:="Cisco RV340%" OR hw:="Cisco RV345%") AND (os_version:>0 AND os_version:<="1.0.03.24"))UniFi Network Application provides centralized management for scaling and optimizing network performance, security, and device configuration across enterprise, SOHO, or home networks.
-
CVE-2026-22557: Allows a malicious actor with access to the network the ability to exploit a Path Traversal vulnerability to access files on the underlying system that could be manipulated to access an underlying account.
-
CVE-2026-22558: Allows a malicious actor with authenticated access to the network, the ability to exploit a NoSQL Injection vulnerability to escalate privileges.
The following versions are affected
- UniFi Network Application versions 10.1.85 and earlier
- UniFi Network Application versions 10.2.93 and earlier
- UniFi Network Application versions 9.0.114 and earlier
This has been given a severity of Critical because
- Successful exploitation enables an adversary to escalate privileges on the vulnerable system.
This has been given a risk of Critical because
- Exploitation of this vulnerability does not require authentication.
vendor:=Ubiquiti AND product:="UniFi Network" AND version:>0 AND (version:<9.0.118 OR (version:>=10.1.0 AND version:<10.1.89) OR (version:>=10.2.0 AND version:<10.2.97))ISC BIND is open-source software, maintained by the Internet Systems Consortium (ISC), that implements the Domain Name System (DNS), which is the foundational protocol for translating human-readable domain names into IP addresses.
Certain versions of ISC BIND are affected by multiple vulnerabilities:
-
A cache poisoning vulnerability related to unsolicited resource records (RRs) - records in a DNS response that were not directly requested by a query - is possible under certain circumstances. This vulnerability exists because BIND is too lenient when accepting such records from answers. Successful exploitation allows a remote, unauthenticated adversary to inject forged records into the cache during a query. This can affect the resolution of future queries, potentially hijacking traffic (CVE-2025-40778).
-
A cache poisoning vulnerability exists due to a weakness in the pseudo-random number generator (PRNG). This weakness allows a remote, unauthenticated adversary to predict the source port and query ID that BIND will use. In specific circumstances, BIND can be tricked into caching spoofed responses from an adversary (CVE-2025-40780).
-
A resource exhaustion vulnerability exists due to flaws in handling malformed
DNSKEYrecords. Successful exploitation allows a remote, unauthenticated adversary to query for records within a specially crafted zone containing such records. This causes the server to consume excessive CPU resources, overwhelming it and significantly impacting performance, which leads to a denial-of-service (DoS) for legitimate clients (CVE-2025-8677).
Authoritative services are believed to be unaffected by these vulnerabilities; however, resolvers are affected.
The following versions are affected
- BIND versions 9.11.0 through 9.16.50
- Note: This range is only affected by CVE-2025-40778 and CVE-2025-40780. The latter (CVE-2025-40780) only affects versions 9.16.0 through 9.16.50.
- BIND versions 9.18.0 through 9.18.39
- BIND versions 9.20.0 through 9.20.13
- BIND versions 9.21.0 through 9.21.12
- BIND Supported Preview Edition versions 9.11.3-S1 through 9.16.50-S1
- Note: This range is only affected by CVE-2025-40778 and CVE-2025-40780. The latter (CVE-2025-40780) only affects versions 9.16.8-S1 through 9.16.50-S1.
- BIND Supported Preview Edition versions 9.18.11-S1 through 9.18.39-S1
- BIND Supported Preview Edition versions 9.20.9-S1 through 9.20.13-S1
Note: BIND versions prior to 9.11.0 were not specifically assessed, but are also believed to be affected.
vendor:=ISC AND product:=BIND AND (version:>0 AND ( (version:>=9 AND version:<9.11.0) OR (version:>=9.11.0 AND version:<=9.16.50) OR (version:>=9.18.0 AND version:<=9.18.39) OR (version:>=9.20.0 AND version:<=9.20.13) OR (version:>=9.21.0 AND version:<=9.21.12) OR (version:>="9.11.3-S1" AND version:<="9.16.50-S1") OR (version:>="9.18.11-S1" AND version:<="9.18.39-S1") OR (version:>="9.20.9-S1" AND version:<="9.20.13-S1")))GitLab Community Edition (CE) and Enterprise Edition (EE) are both vulnerable to an authentication bypass where an attacker with access to a valid signed SAML document from the identity provider could authenticate as another valid user within the environment’s SAML Identity Provider (IdP).
The following versions are affected
- Versions 17.9.x, prior to 17.9.2
- Versions 17.8.x, prior to 17.8.5
- Versions 17.7.x, prior to 17.7.7
vendor:=GitLab AND product:gitlab AND ((version:>17.9 AND version:<17.9.2) OR (version:>17.8 AND version:<17.8.5) OR (version:>17.7 AND version:<17.7.7))Certain versions of Plex Media Server are affected by an undisclosed vulnerability stemming from an incorrect resource transfer between spheres. The flaw was reported to Plex through its bug bounty program, and further details are not yet public.
The following versions are affected
- Plex Media Server versions 1.41.7.x through 1.42.0.x
vendor:=Plex AND product:"Media Server" AND (version:>0 AND version:<"1.42.1")finding:rz-finding-vulnerability-rceSeveral vulnerabilities affecting Apple’s AirPlay protocol, collectively referred to as AirBorne, could potentially allow remote code execution by a local attacker.
- A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Sequoia 15.4, tvOS 18.4, macOS Ventura 13.7.5, iPadOS 17.7.6, macOS Sonoma 14.7.5, iOS 18.4 and iPadOS 18.4, visionOS 2.4. An attacker on the local network may be able to corrupt process memory. (CVE-2025-24252)
- An authentication issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.4, tvOS 18.4, macOS Ventura 13.7.5, iPadOS 17.7.6, macOS Sonoma 14.7.5, iOS 18.4 and iPadOS 18.4, visionOS 2.4. An attacker on the local network may be able to bypass authentication policy. (CVE-2025-24206)
hw:="apple%" AND protocol:airplay AND ( (os:="apple macos" AND ((osversion:>"13.0" AND osversion:<"13.7.5") OR (osversion:>"14.0" AND osversion:<"14.7.5") OR (osversion:>"15.0" AND osversion:<"15.4"))) OR (os:="apple ipados" AND ((osversion:>"17.0" AND osversion:<"17.7.6") OR (osversion:>"18.0" AND osversion:<"18.4"))) OR ((os:="apple tvos" OR os:="apple audioos") AND osversion:>0 AND osversion:<"18.4") OR (os:="apple ios" AND osversion:>0 AND osversion:<"18.4") OR (os:="apple visionos" AND osversion:>0 AND osversion:<"2.4") )Multiple versions of Apache ActiveMQ are vulnerable to an arbitrary code execution vulnerability.
- The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
_asset.protocol:=activemq AND product:ActiveMQ AND ((version:>0 AND version:<5.15.16) OR (version:>=5.16.0 AND version:<5.16.7) OR (version:>=5.17.0 AND version:<5.17.6) OR (version:>=5.18.0 AND version:<5.18.3))Apache Solr versions 7.4.0 through 7.7.3 and 8.0.0 through 8.11.0 are affected by a remote code execution vulnerability found within the bundled version of Apache Log4J.
- Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
vendor:=Apache AND product:Solr AND ((version:>=7.4.0 AND version:<7.7.3) OR (version:>=8.0.0 AND version:<8.11.0))Apache Tomcat versions 10.1.0-M1 through 10.1.33 are affected by multiple vulnerabilities:
-
The previous mitigation for CVE-2024-50379 was incomplete. In addition to upgrading to 10.1.34 or later, users running Tomcat on a case insensitive file system with the default servlet write enabled may need additional configuration depending on the version of Java being used. (CVE-2024-56337)
-
Numerous examples in the examples web application did not place limits on uploaded data enabling an OutOfMemoryError to be triggered causing a denial of service. (CVE-2024-54677)
-
If the default servlet is write enabled (readonly initialisation parameter set to the non-default value of false) for a case insensitive file system, concurrent read and upload under load of the same file can bypass Tomcat’s case sensitivity checks and cause an uploaded file to be treated as a JSP leading to remote code execution. (CVE-2024-50379)
product:Tomcat AND (version:>10.1.0-M1 AND version:<10.1.34)Apache Tomcat versions 11.0.0-M1 through 11.0.1 are affected by multiple vulnerabilities:
-
The previous mitigation for CVE-2024-50379 was incomplete. In addition to upgrading to 11.0.2 or later, users running Tomcat on a case insensitive file system with the default servlet write enabled may need additional configuration depending on the version of Java being used. (CVE-2024-56337)
-
Numerous examples in the examples web application did not place limits on uploaded data enabling an OutOfMemoryError to be triggered causing a denial of service. (CVE-2024-54677)
-
If the default servlet is write enabled (readonly initialisation parameter set to the non-default value of false) for a case insensitive file system, concurrent read and upload under load of the same file can bypass Tomcat’s case sensitivity checks and cause an uploaded file to be treated as a JSP leading to remote code execution. (CVE-2024-50379)
product:Tomcat AND (version:>11.0.0-M1 AND version:<11.0.2)Apache Tomcat versions 9.0.0-M1 through 9.0.97 are affected by multiple vulnerabilities:
-
The previous mitigation for CVE-2024-50379 was incomplete. In addition to upgrading to 9.0.98 or later, users running Tomcat on a case insensitive file system with the default servlet write enabled may need additional configuration depending on the version of Java being used. (CVE-2024-56337)
-
Numerous examples in the examples web application did not place limits on uploaded data enabling an OutOfMemoryError to be triggered causing a denial of service. (CVE-2024-54677)
-
If the default servlet is write enabled (readonly initialisation parameter set to the non-default value of false) for a case insensitive file system, concurrent read and upload under load of the same file can bypass Tomcat’s case sensitivity checks and cause an uploaded file to be treated as a JSP leading to remote code execution. (CVE-2024-50379)
product:Tomcat AND (version:>9.0.0-M1 AND version:<9.0.98)Apple TVs running versions prior to 16.2 are affected by multiple vulnerabilities, potentially leading to remote code execution.
os:"Apple tvOS" AND osversion:>0 AND osversion:<16.2Apple TVs running versions prior to 18.6 are affected by multiple vulnerabilities, potentially leading to denial of service, elevation of privilege, spoofing, remote code execution, sensitive information disclosure, cross-site scripting, data manipulation and security restriction bypass on vulnerable systems.
os:"Apple tvOS" AND osversion:>0 AND osversion:<18.6Apple TVs running versions prior to 26 are affected by multiple vulnerabilities, potentially leading to denial of service, elevation of privilege, spoofing, remote code execution, sensitive information disclosure, data manipulation and security restriction bypass on the targeted system.
os:"Apple tvOS" AND osversion:>0 AND osversion:<26Atlassian Confluence Data Center and Server versions 8.0 through 8.5.3 are affected by a remote code execution vulnerability.
- A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action. Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin.
vendor:=Atlassian AND product:Confluence AND (version:>=8.0 AND version:<8.5.4)Several versions of Atlassian Confluence Data Center and Server are affected by a remote code execution vulnerability.
- In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
vendor:=Atlassian AND product:Confluence AND ( (version:>0 AND version:<6.13.23) OR (version:>=6.14.0 AND version:<7.4.11) OR (version:>=7.5.0 AND version:<7.11.6) OR (version:>=7.12.0 AND version:<7.12.5)) Several versions of Atlassian Confluence Data Center and Server are affected by a remote code execution vulnerability.
- In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.
vendor:=Atlassian AND product:Confluence AND ( (version:>=1.3.0 AND version:<7.4.17) OR (version:>=7.13.0 AND version:<7.13.7) OR (version:>=7.14.0 AND version:<7.14.3) OR (version:>=7.15.0 AND version:<7.15.2) OR (version:>=7.16.0 AND version:<7.16.4) OR (version:>=7.17.0 AND version:<7.17.4) OR (version:>=7.18.0 AND version:<7.18.1) OR )Certain versions of Broadcom VMware ESXi, Workstation, Fusion, and Tools are affected by multiple vulnerabilities that, when combined, allow an adversary who already has privileged access (administrator or root) in a VM’s guest OS or has compromised a VM’s guest OS or services and gained privileged access to escape into the hypervisor and execute arbitrary code on the vulnerable system.
-
VMware ESXi, Workstation, and Fusion contain an integer-overflow vulnerability due to an out-of-bounds write in the VMXNET3 virtual network adapter. An adversary with local administrative privileges on a virtual machine with the VMXNET3 virtual network adapter may exploit the vulnerability and execute arbitrary code on the host. Non-VMXNET3 virtual adapters are not affected by the vulnerability (CVE-2025-41236).
-
VMware ESXi, Workstation, and Fusion contain an integer-underflow vulnerability due to an out-of-bounds write in the VMCI (Virtual Machine Communication Interface). An adversary with local administrative privileges on a virtual machine may exploit the vulnerability and execute arbitrary code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the Workstation or Fusion host machine (CVE-2025-41237).
-
VMware ESXi, Workstation, and Fusion contain a heap-overflow vulnerability in the PVSCSI (Paravirtualized SCSI) controller that leads to an out of-bounds write. An adversary with local administrative privileges on a virtual machine may exploit the vulnerability and execute arbitrary code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox and exploitable only with configurations that are unsupported. On Workstation and Fusion, this may lead to code execution on the Workstation or Fusion host machine (CVE-2025-41238).
-
VMware ESXi, Workstation, Fusion, and VMware Tools contain an information disclosure vulnerability due to the usage of an uninitialised memory in vSockets. An adversary with local administrative privileges on a virtual machine may exploit the vulnerability and leak memory from processes communicating with vSockets (CVE-2025-41239).
The following versions are affected
- VMware ESXi versions 7.0 prior to 7.0.3 build-24784741
- VMware ESXi versions 8.0 prior to 8.0.2 build-24789317
- VMware ESXi versions 8.0 prior to 8.0.3 build-24784735
- VMware Workstation version 17.x prior to 17.6.4
- VMware Fusion version 13.x prior to 13.6.4
- VMware Tools on Windows version 11.x.x or 12.x.x prior to 12.5.3
- VMware Tools on Windows version 13.x.x prior to 13.0.1.0
os:"vmware esxi" AND ((os_version:>7 AND os_version:<"7.0.3 build-24784741") OR (os_version:>8 AND (os_version:<"8.0.2 build-24789317" OR os_version:<"8.0.3 build-24784735")))Cacti is an open source platform which provides a robust and extensible operational
monitoring and fault management framework for users. In affected versions a command
injection vulnerability allows an unauthenticated user to execute arbitrary code on a server
running Cacti, if a specific data source was selected for any monitored device. The
vulnerability resides in the remote_agent.php file. This file can be accessed without
authentication. This function retrieves the IP address of the client via get_client_addr
and resolves this IP address to the corresponding hostname via gethostbyaddr. After this,
it is verified that an entry within the poller table exists, where the hostname
corresponds to the resolved hostname. If such an entry was found, the function returns
true and the client is authorized. This authorization can be bypassed due to the
implementation of the get_client_addr function. The function is defined in the file
lib/functions.php and checks serval $_SERVER variables to determine the IP address of
the client. The variables beginning with HTTP_ can be arbitrarily set by an attacker.
Since there is a default entry in the poller table with the hostname of the server running
Cacti, an attacker can bypass the authentication e.g. by providing the header
Forwarded-For: <TARGETIP>. This way the function get_client_addr returns the IP address
of the server running Cacti. The following call to gethostbyaddr will resolve this IP
address to the hostname of the server, which will pass the poller hostname check because
of the default entry. After the authorization of the remote_agent.php file is bypassed, an
attacker can trigger different actions. One of these actions is called polldata. The
called function poll_for_data retrieves a few request parameters and loads the
corresponding poller_item entries from the database. If the action of a poller_item
equals POLLER_ACTION_SCRIPT_PHP, the function proc_open is used to execute a PHP script.
The attacker-controlled parameter $poller_id is retrieved via the function
get_nfilter_request_var, which allows arbitrary strings. This variable is later inserted
into the string passed to proc_open, which leads to a command injection vulnerability. By
e.g. providing the poller_id=;id the id command is executed. In order to reach the
vulnerable call, the attacker must provide a host_id and local_data_id, where the
action of the corresponding poller_item is set to POLLER_ACTION_SCRIPT_PHP. Both of
these ids (host_id and local_data_id) can easily be bruteforced. The only requirement is
that a poller_item with an POLLER_ACTION_SCRIPT_PHP action exists. This is very likely
on a productive instance because this action is added by some predefined templates like
Device - Uptime or Device - Polling Time. This command injection vulnerability allows an
unauthenticated user to execute arbitrary commands if a poller_item with the action type
POLLER_ACTION_SCRIPT_PHP (2) is configured. The authorization bypass should be prevented
by not allowing an attacker to make get_client_addr (file lib/functions.php) return an
arbitrary IP address. This could be done by not honoring the HTTP_... $_SERVER
variables. If these should be kept for compatibility reasons it should at least be prevented
to fake the IP address of the server running Cacti. This vulnerability has been addressed in
both the 1.2.x and 1.3.x release branches with 1.2.23 being the first release containing
the patch.
_asset.products:Cacti AND vendor:=Cacti AND product:Cacti AND (version:>0 AND version:<1.2.23)Cisco Secure Firewall Management Center (FMC) is a centralized administrative platform used to configure security policies, manage firmware updates, and aggregate threat telemetry across physical and virtual Cisco security appliances from a single interface.
Certain versions of Cisco FMC are affected by the following vulnerabilities:
-
CVE-2026-20079: The Cisco FMC web interface contains an authentication bypass vulnerability stemming from an improper system process created at boot time. A remote, unauthenticated adversary could exploit this by sending crafted HTTP requests, allowing them to bypass authentication and execute script files or commands to obtain root access to the underlying operating system.
-
CVE-2026-20131: The Cisco FMC web-based management interface contains a remote code execution (RCE) vulnerability due to insecure deserialization of a user-supplied Java byte stream. A remote, unauthenticated adversary could exploit this by sending a crafted serialized Java object to the interface, allowing them to execute arbitrary code and elevate privileges to root. Note: Deployments where the management interface lacks public Internet access significantly reduce the associated attack surface.
There is evidence that CVE-2026-20131 is being actively exploited in the wild.
The following versions of Cisco FMC are affected by one or both vulnerabilities:
- Cisco FMC versions prior to 7.0.9
- Cisco FMC versions prior to 7.2.11
- Cisco FMC versions prior to 7.4.4 (CVE-2026-20079) and prior to 7.4.6 (CVE-2026-20131)
- Cisco FMC versions prior to 7.6.4 (CVE-2026-20079) and prior to 7.6.5 (CVE-2026-20131)
- Cisco FMC versions prior to 7.7.12
- Cisco FMC versions prior to 10.0.1 (CVE-2026-20131 only)
This has been given a severity of Critical because
- Successful exploitation would allow an adversary to execute arbitrary code on the vulnerable system.
This has been given a risk of Critical because
- Exploitation of this vulnerability does not require authentication.
os:="Cisco FMC%" AND os_version:>0 AND ((os_version:>="6.4.0.13" AND os_version:<="6.4.0.18") OR (os_version:>="7.0.0" AND os_version:<"7.0.9") OR (os_version:>="7.1.0" AND os_version:<"7.2.11") OR (os_version:>="7.3.0" AND os_version:<"7.4.6") OR (os_version:>="7.6.0" AND os_version:<"7.6.5") OR (os_version:>="7.7.0" AND os_version:<"7.7.12") OR (os_version:="10.0.0"))A vulnerability within the SSL VPN module of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code on a vulnerable device.
The following versions are affected:
- Firmware versions 1.0.03.24 and earlier
(hw:="Cisco RV340%" OR hw:="Cisco RV345%") AND (os_version:>0 AND os_version:<="1.0.03.24")Cleo Harmony versions prior to 5.8.0.21 are vulnerable to a condition allowing remote unauthenticated attackers to read or upload arbitrary files that could lead to remote code execution.
vendor:=Cleo AND product:harmony AND (version:>0 AND version:<5.8.0.21)Cleo Lexicom versions prior to 5.8.0.21 are vulnerable to a condition allowing remote unauthenticated attackers to read or upload arbitrary files that could lead to remote code execution.
vendor:=Cleo AND product:lexicom AND (version:>0 AND version:<5.8.0.21)Cleo VLTrader versions prior to 5.8.0.21 are vulnerable to a condition allowing remote unauthenticated attackers to read or upload arbitrary files that could lead to remote code execution.
vendor:=Cleo AND product:vltrader AND (version:>0 AND version:<5.8.0.21)ConnectWise ScreenConnect versions prior to 23.9.8 contain multiple vulnerabilities which could lead to arbitrary code execution by a remote attacker.
- ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems. (CVE-2024-1708)
- ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems. (CVE-2024-1709)
vendor:=ConnectWise AND product:ScreenConnect AND (version:>0 AND version:<23.9.8)Elastic Kibana versions 8.15.0 to 8.17.2 are vulnerable to an arbitrary code execution vulnerability.
vendor:=Elastic AND product:kibana AND (version:>8.14 AND version:<8.17.3)The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor’s intended security policy if the user does not run Elasticsearch in its own independent virtual machine.
vendor:=Elastic AND (product:=Search OR product:=Elasticsearch) AND ( (version:>0 AND version:<1.2 AND NOT version:"0:%") OR (version:"0:%" AND version:>"0:0" AND version:<"0:1.2"))Several versions of BIG-IP are vulnerable to a remote code execution by an unauthenticated attacker.
- On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 and BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. (CVE-2021-22986)
os:="F5 Networks BIG-IP" AND ( (osversion:>"12.1" AND osversion:<"12.1.5.3") OR (osversion:>"13.1" AND osversion:<"13.1.3.6") OR (osversion:>"14.1" AND osversion:<"14.1.4") OR (osversion:>"15.1" AND osversion:<"15.1.2.1") OR (osversion:>"16.0" AND osversion:<"16.0.1.1") )An out-of-bounds write in Fortinet FortiOS allows a remote attacker to potentially execute unauthorized code or commands using specifically crafted requests.
The following versions of Fortinet FortiOS are affected
- versions 7.4.0 through 7.4.2
- versions 7.2.0 through 7.2.6
- versions 7.0.0 through 7.0.13
- versions 6.4.0 through 6.4.14
- versions 6.2.0 through 6.2.15
- versions 6.0.0 through 6.0.17
The following versions of FortiProxy are affected
- versions 7.4.0 through 7.4.2
- versions 7.2.0 through 7.2.8
- versions 7.0.0 through 7.0.14
- versions 2.0.0 through 2.0.13
- versions 1.2.0 through 1.2.13
- versions 1.1.0 through 1.1.6
- versions 1.0.0 through 1.0.7
os:="Fortinet FortiOS" AND ((os_version:>="7.4.0" AND os_version:<"7.4.3") OR (os_version:>="7.2.0" AND os_version:<"7.2.7") OR (os_version:>="7.0.0" AND os_version:<"7.0.14") OR (os_version:>="2.0.0" AND os_version:<"2.0.14") OR (os_version:>="1.2.0" AND os_version:<"1.2.14") OR (os_version:>="1.1.0" AND os_version:<"1.1.7") OR (os_version:>="1.0.0" AND os_version:<"1.0.8"))A use of externally-controlled format string in multiple Fortinet products allows attacker to execute unauthorized code or commands via specially crafted packets.
The following versions are affected
- FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13
- FortiPAM versions 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3
- FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14
- FortiSwitchManager versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.3
(os:="Fortinet FortiOS" AND ((os_version:>="7.4.0" AND os_version:<"7.4.3") OR (os_version:>="7.2.0" AND os_version:<"7.2.7") OR (os_version:>="7.0.0" AND os_version:<"7.0.15"))) OR (os:="Fortinet FortiPAM" AND ((os_version:>="1.0.0" AND os_version:<"1.0.4") OR (os_version:>="1.1.0" AND os_version:<"1.1.3") OR (os_version:="1.2.0")))An issue was discovered in GitLab both Community and Enterprise editions affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
The following versions are affected
- 11.9.x prior to 13.8.7
- 13.9.0 prior to 13.9.5
- 13.10.0 prior to 13.10.2
vendor:=GitLab AND product:gitlab AND ((version:>11.9 AND version:<13.8.7) OR (version:>13.9 AND version:<13.9.5) OR (version:>13.10 AND version:<13.10.2))The Grandstream GXP1600 series is a collection of entry-level, Linux-based Voice over Internet Protocol (VoIP) phones used for making and receiving voice calls over a network via the Session Initiation Protocol (SIP).
Certain versions of the Grandstream GXP1600 series Voice over Internet Protocol (VoIP) phones contain a stack-based
buffer overflow vulnerability in the HTTP API endpoint /cgi-bin/api.values.get. Successful exploitation could allow
a remote, unauthenticated adversary achieve remote code execution (RCE) with root privileges on the phone.
The following models and versions are affected
- GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630 firmware versions prior to 1.0.7.81
This vulnerability has been given a severity of Critical because
- Successful exploitation would allow an adversary to execute arbitrary code on the vulnerable system.
This vulnerability has been given a risk of Critical because
- Exploitation of this vulnerability does not require authentication.
hw:="Grandstream GXP16__" AND (os_version:>0 AND os_version:<"1.0.7.81")HashiCorp published eight security bulletins for issues impacting Vault Community Edition and Vault Enterprise, all of which have been addressed in the latest Vault versions: 1.20.2, 1.19.8, 1.18.13, and 1.16.24.
-
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privileges to Vault’s root policy. (HCSEC-2025-13 / CVE-2025-5999)
-
A privileged Vault operator within the root namespace with write permission to sys/audit may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. (HCSEC-2025-14 / CVE-2025-6000)
-
A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s userpass auth method. (HCSEC-2025-15 / CVE-2025-6011)
-
Vault and Vault Enterprise’s (“Vault”) user lockout feature could be bypassed for Userpass and LDAP authentication methods. (HCSEC-2025-16 / CVE-2025-6004)
-
Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. (HCSEC-2025-17 / CVE-2025-6014)
-
Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. In this configuration, an attacker may be able to craft a malicious certificate that could be used to impersonate another user. (HCSEC-2025-18 / CVE-2025-6037)
-
Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. (HCSEC-2025-19 / CVE-2025-6015)
-
Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. (HCSEC-2025-20 / CVE-2025-6013)
vendor:="HashiCorp" AND product:"Vault" AND ( (version:>=1.20.0 AND version:<1.20.2) OR (version:>=1.19.0 AND version:<1.19.8) OR (version:>=1.18.0 AND version:<1.18.13) OR (version:>0 AND version:<1.16.24))Langflow is a popular, open-source tool for building and deploying AI-powered agents and workflows.
A vulnerability was found in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint that
allows building public flows without requiring authentication. When the optional data parameter
is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code
in node definitions) instead of the stored flow data from the database. This code is passed to
exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is
distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The
build_public_tmp endpoint was designed to be unauthenticated for public flows. However, it
blindly accepts attacker-supplied flow data containing arbitrary executable code.
The following versions are affected
- Langflow versions prior to 1.8.2
This has been given a severity of Critical because
- Exploitation of this vulnerability allows an adversary to remotely execute arbitrary code.
This has been given a risk of Critical because
- Exploitation of this vulnerability does not require authentication.
vendor:=Langflow AND product:=Langflow AND (version:>0 AND version:<1.8.2)Microsoft SharePoint is a web-based collaboration and document management platform within the Microsoft 365 suite. It acts as a secure, centralized hub for storing, organizing, sharing, and accessing information from any device.
On January 13, 2026, Microsoft disclosed a remote code execution vulnerability, designated CVE-2026-20963, in Microsoft SharePoint. The vulnerability is due to deserialization of untrusted data in Microsoft SharePoint which allows a remote, unauthenticated attacker to execute code over a network.
While initially released with a CVSS score of 8.8, the score was updated to 9.8 on March 17, 2026.
This vulnerability is known to be exploited in the wild and was added to the CISA.gov Known Exploited Vulnerabilities (KEV) list on March 18, 2026.
The following versions are affected:
- SharePoint Enterprise Server 2016 before version 16.0.5535.1001
- SharePoint Server 2019 before version 16.0.10417.20083
- SharePoint Server Subscription Edition before version 16.0.19127.20442
vendor:=Microsoft AND ( (product:="SharePoint Server 2016" AND (version:>=16.0.4107.1002 AND version:<16.0.5535.1001)) OR (product:="SharePoint Server 2019" AND (version:>=16.0.10711.37301 AND version:<16.0.10417.20083)) OR (product:="SharePoint Server Subscription Edition" AND (version:>=16.0.0.1 AND version:<16.0.19127.20442)) )MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.
The following versions are affected
- All versions through 6.42
os:="MikroTik RouterOS" AND (os_version:>"0" AND os_version:<="6.42")Certain versions of FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera contain a buffer overflow vulnerability. Successfully exploiting this vulnerability could allow a remote, unauthenticated attacker to execute arbitrary code on the vulnerable system.
Note that there is evidence that this vulnerability is being exploited in the wild.
- A stack-based buffer overflow vulnerability [CWE-121] in Fortinet FortiVoice versions 7.2.0, 7.0.0 through 7.0.6, 6.4.0 through 6.4.10, FortiRecorder versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.5, 6.4.0 through 6.4.5, FortiMail versions 7.6.0 through 7.6.2, 7.4.0 through 7.4.4, 7.2.0 through 7.2.7, 7.0.0 through 7.0.8, FortiNDR versions 7.6.0, 7.4.0 through 7.4.7, 7.2.0 through 7.2.4, 7.0.0 through 7.0.6, FortiCamera versions 2.1.0 through 2.1.3, 2.0 all versions, 1.1 all versions, allows a remote unauthenticated attacker to execute arbitrary code or commands via sending HTTP requests with specially crafted hash cookie. (CVE-2025-32756)
hw:="Fortinet%" AND type:="SIP Gateway" AND ((osversion:="7.2.0") OR (osversion:>"7.0.0" AND osversion:<"7.0.7") OR (osversion:>="6.4.0" AND osversion:<"6.4.11"))Vulnerable versions of Novi Survey allow remote attackers to execute arbitrary code on the server in the context of the service account. This does not provide access to stored survey or response data.
The following versions are affected
- All versions prior to 8.9.43676
vendor:="3rd Millennium" AND product:="Novi Survey" AND (version:>"0" AND version:<"8.9.43676") PHP versions 8.1.0 through 8.1.28 served by Apache on Windows hosts are affected by multiple vulnerabilities.
-
In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell. (CVE-2024-1874)
-
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use Best-Fit behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc. (CVE-2024-4577)
-
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly. (CVE-2024-5458)
-
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell. (CVE-2024-5585)
os:"Windows" AND _asset.products:apache AND product:PHP AND (version:>8.1 AND version:<8.1.29)PHP versions 8.2.0 through 8.2.19 served by Apache on Windows hosts are affected by multiple vulnerabilities.
-
In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell. (CVE-2024-1874)
-
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use Best-Fit behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc. (CVE-2024-4577)
-
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly. (CVE-2024-5458)
-
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell. (CVE-2024-5585)
os:"Windows" AND _asset.products:apache AND product:PHP AND (version:>8.2 AND version:<8.2.20)PHP versions 8.3.0 through 8.3.7 served by Apache on Windows hosts are affected by multiple vulnerabilities.
-
In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell. (CVE-2024-1874)
-
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use Best-Fit behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc. (CVE-2024-4577)
-
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly. (CVE-2024-5458)
-
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell. (CVE-2024-5585)
os:"Windows" AND _asset.products:apache AND product:PHP AND (version:>8.3 AND version:<8.3.8)Parallels Plesk Panel versions 9.0 through 9.2.3 running on Linux hosts are vulnerable to remote code execution.
- The default configuration of Parallels Plesk Panel 9.0.x and 9.2.x on UNIX, and Small Business Panel 10.x on UNIX, has an improper ScriptAlias directive for phppath, which makes it easier for remote attackers to execute arbitrary code via a crafted request, a different vulnerability than CVE-2012-1823. (CVE-2013-4878)
not os:Windows AND vendor:=parallels AND product:=plesk AND (version:>9.0.0 AND version:<9.5.4)Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. As of the CVE assignment date, Rejetto HFS 2.3m is no longer supported.
vendor:=Rejetto AND product:"HTTP File Server" AND version:>0 AND version:<3The Rejetto HTTP File Server (HFS) versions 2.0 through 2.3m running on Windows are vulnerable to an unauthenticated remote code execution vulnerability.
- Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. As of the CVE assignment date, Rejetto HFS 2.3m is no longer supported.
os:Windows AND vendor:=Rejetto AND product:"HTTP File Server" AND version:>=2.0 AND version:<"2.3m" Certain models and versions of Rockwell Automation ControlLogix Ethernet modules are affected by a remote code execution (RCE) vulnerability. This vulnerability exists because a web-based debugger agent is enabled on the affected modules. Successful exploitation, by a specific IP address being used to connect to this web-based debugger agent, allows a remote, unauthenticated adversary to perform memory dumps, modify memory, and control execution flow.
The following models and versions are affected
- 1756-EN2T/D versions 11.004 or below
- 1756-EN2F/C versions 11.004 or below
- 1756-EN2TR/C versions 11.004 or below
- 1756-EN3TR/B versions 11.004 or below
- 1756-EN2TP/A versions 11.004 or below
((_asset.protocol:="cip" OR asset.protocol:="cip-udp") AND protocol:"cip" AND (cip.product:="1756-EN2T/D" OR cip.product:="1756-EN2F/C" OR cip.product:="1756-EN2TR/C" OR cip.product:="1756-EN3TR/B" OR cip.product:="1756-EN2TP/A") AND (cip.revision:>"0" AND (cip.revision:<"12" OR cip.revision:"12.0%"))) OR ((_asset.protocol:="ethernetip" OR asset.protocol:="ethernetip-udp") AND protocol:"ethernetip" AND (ethernetip.product:="1756-EN2T/D" OR ethernetip.product:="1756-EN2F/C" OR ethernetip.product:="1756-EN2TR/C" OR ethernetip.product:="1756-EN3TR/B" OR ethernetip.product:="1756-EN2TP/A") AND (ethernetip.revision:>"0" AND (ethernetip.revision:<"12" OR ethernetip.revision:"12.0%")))An insecure deserialization vulnerability affects certain versions of SAP NetWeaver. The vulnerability is related to the RMI-P4 module, which handles Remote Method Invocation (RMI) and Common Object Request Broker Architecture (CORBA) features. This module uses the P4 protocol, a proprietary SAP protocol that allows remote objects to communicate over the following default port ranges:
- P4: 50004–59904
- P4 over HTTP: 50005–59905
- P4 over SSL: 50006–59906
An adversary can exploit this vulnerability by sending a malicious payload to an open port used by this module, causing the application to deserialize untrusted Java objects. Successful exploitation could allow a remote, unauthenticated adversary to execute arbitrary OS commands on the target system.
The following versions are affected
- SAP NetWeaver SERVERCORE versions prior to and including 7.50
vendor:=SAP AND product:"NetWeaver" AND (version:>0 AND version:<=7.50)Certain versions of Sangoma FreePBX are affected by multiple flaws, identified under this CVE ID, including an
authentication bypass of the Administrator Control Panel (ACP). This vulnerability can lead to arbitrary database
manipulation and remote code execution (RCE) because the commercial endpoint module insufficiently sanitizes
user-supplied data. Successful exploitation could allow a remote, unauthenticated adversary to gain root access to the
target system. There is evidence that this vulnerability is being actively exploited in the wild.
The following versions are affected
- FreePBX 15.x versions prior to 15.0.66
- FreePBX 16.x versions prior to 16.0.89
- FreePBX 17.x versions prior to 17.0.3
Note: End-of-life (EOL) versions have not been tested for this vulnerability and may also be affected. It is strongly recommended to upgrade all EOL FreePBX versions to a supported release.
((vendor:=FreePBX AND product:=PBX) OR (vendor:=Sangoma AND product:=FreePBX)) AND (version:>0 AND (version:<"15.0.66(%)" OR version:<"16.0.89(%)" OR version:<"17.0.3(%)"))SolarWinds Web Help Desk is an on-premises IT service management (ITSM) software that automates help desk ticketing, asset tracking, and change management through a centralized, self-hosted platform.
Certain versions of SolarWinds Web Help Desk (WHD) are affected by multiple vulnerabilities:
-
CVE-2025-40551: An untrusted data deserialization vulnerability that could lead to remote code execution (RCE). Successful exploitation allows a remote, unauthenticated adversary to execute arbitrary commands on the host machine.
-
CVE-2025-40552: An authentication bypass vulnerability. A remote, unauthenticated adversary could exploit this to trigger actions and methods that should otherwise be restricted.
-
CVE-2025-40553: An untrusted data deserialization vulnerability that could lead to remote code execution (RCE). Successful exploitation allows a remote, unauthenticated adversary to execute arbitrary commands on the host machine.
-
CVE-2025-40554: An authentication bypass vulnerability. A remote, unauthenticated adversary could exploit this to invoke specific actions within Web Help Desk.
The following versions are affected
- SolarWinds Web Help Desk versions prior to 12.8.8 Hotfix 1 (HF1)
vendor:=SolarWinds AND product:="Web Help Desk" AND (version:>0 AND version:<12.8.8.2585)SolarWinds Web Help Desk is an on-premises IT service management (ITSM) software that automates help desk ticketing, asset tracking, and change management through a centralized, self-hosted platform.
Certain versions of SolarWinds Web Help Desk (WHD) are affected by a deserialization of untrusted data vulnerability
in the AjaxProxy component. Successful exploitation allows a remote, unauthenticated adversary to achieve remote
code execution (RCE) on the host machine. This vulnerability bypasses the patch for CVE-2024-28988, which in turn was
an incomplete fix for the original vulnerability, CVE-2024-28986.
There is evidence that the vulnerability is being actively exploited in the wild.
The following versions are affected
- SolarWinds Web Help Desk versions prior to 12.8.7 Hotfix 1 (HF1)
vendor:=SolarWinds AND product:="Web Help Desk" AND (version:>0 AND version:<12.8.7.2174)Certain versions of SonicWall SMA1000 appliances are vulnerable to an unauthenticated remote code execution vulnerability.
- Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands. (CVE-2025-23006)
hw:="SonicWall SMA1000" AND (osversion:>0 AND osversion:<12.4.3)A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall.
The following SonicOS Gen 6 versions are affected:
- 6.5.4.7, 6.5.1.12, 6.0.5.3
The following SonicOSv versions are affected
- 6.5.4.v
The following SonicOS Gen 7 versions are affected
- 7.0.0.0
os:="SonicWall SonicOS" AND (os_version:="7.0.0.0" OR os_version:="6.5.4.7" OR os_version:="6.5.1.12" OR os_version:="6.0.5.3" OR os_version:="6.5.4.v")VMware vCenter Server versions 7.0 through 7.0 U3t and 8.0 through 8.0 U3d are affected by multiple vulnerabilities found within the VMSA-2024-0019 advisory:
-
The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution. (CVE-2024-38812)
-
The vCenter Server contains a privilege escalation vulnerability. A malicious actor with network access to vCenter Server may trigger this vulnerability to escalate privileges to root by sending a specially crafted network packet. (CVE-2024-38813)
vendor:=VMware AND (product:"vcenter server" OR product:"cloud foundation") AND ((version:>7.0 AND version:<"7.0.3 build-24322018") OR (version:>8.0 AND version:<"8.0.3 build-24322831"))A buffer overflow vulnerability in the notification function in multiple Zyxel firewalls, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.
The following versions are affected:
- ATP series firmware versions 4.60 through 5.36 Patch 1
- USG FLEX series firmware versions 4.60 through 5.36 Patch 1
- USG FLEX 50(W) firmware versions 4.60 through 5.36 Patch 1
- USG20(W)-VPN firmware versions 4.60 through 5.36 Patch 1
- VPN series firmware versions 4.60 through 5.36 Patch 1
- ZyWALL/USG series firmware versions 4.60 through 4.73 Patch 1
((os:="Zyxel ATP%" OR os:="Zyxel USG Flex%" OR os:="Zyxel USG20W-VPN" OR os:="Zyxel USG20-VPN" OR os:="Zyxel VPN%") AND (os_version:>="4.60" AND os_version:<="5.36")) OR ((os:="Zyxel USG40%" OR os:="Zyxel USG60%") AND (os_version:>="4.60" AND os_version:<="4.73"))A buffer overflow vulnerability in the ID processing function in multiple Zyxel firewalls, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.
The following versions are affected
- ATP series firmware versions 4.32 through 5.36 Patch 1
- USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1
- USG FLEX series firmware versions 4.50 through 5.36 Patch 1
- USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1
- VPN series firmware versions 4.30 through 5.36 Patch 1
- ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1
(os:="Zyxel ATP%" AND (os_version:>="4.32" AND os_version:<="5.36")) OR (os:="Zyxel USG Flex 50W" AND (os_version:>="4.25" AND os_version:<="5.36")) OR (os:="Zyxel USG20W-VPN" AND (os_version:>="4.25" AND os_version:<="5.36")) OR ((os:="Zyxel USG20%" OR os:="Zyxel USG40%" OR os:="Zyxel USG60%") AND (os_version:>="4.50" AND os_version:<="5.36")) OR (os:="Zyxel USG Flex%" AND (os_version:>="4.25" AND os_version:<="4.73" AND not os:="Zyxel USG Flex 50W")) OR (os:="Zyxel VPN%" AND (os_version:>="4.30" AND os_version:<="5.36"))Improper error message handling in multiple Zyxel firewalls, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.
The following versions are affected
- ZyWALL/USG series firmware versions 4.60 through 4.73
- VPN series firmware versions 4.60 through 5.35
- USG FLEX series firmware versions 4.60 through 5.35
- ATP series firmware versions 4.60 through 5.35
((os:="Zyxel ATP%" OR os:="Zyxel USG Flex%" OR os:="Zyxel VPN%") AND (os_version:>="4.60" AND os_version:<="5.35")) OR ((os:="Zyxel %USG100" OR os:="Zyxel %USG300") AND (os_version:>="4.60" AND os_version:<="4.73"))n8n is a popular AI-centric workflow automation tool.
Certain versions of n8n are affected by an unauthenticated file manipulation vulnerability when using vulnerable workflow definitions. Successfully exploiting this vulnerability would allow a remote, unauthenticated attacker to execute arbitrary code on the vulnerable system.
The following versions are affected
- n8n versions 1.65.0 up to but not including 1.121.0
vendor:=n8n AND product:=n8n AND version:>0 AND (version:>=1.65.0 AND version:<1.121.0) Apache HTTP Server is an open-source, cross-platform application that serves web content by processing requests via the Hypertext Transfer Protocol (HTTP).
Certain versions of Apache HTTP Server are affected by a double free vulnerability that may lead to remote code execution (RCE). This flaw occurs within the HTTP/2 protocol implementation when a stream undergoes an “early reset.” While further technical details are not publicly available at this time, the vulnerability involves a memory management error triggered during specific HTTP/2 communication sequences.
The following versions are affected:
- Apache HTTP Server: Version 2.4.66
Severity & Risk Assessment
- Severity: High – Successful exploitation could allow an attacker to potentially execute arbitrary code on the vulnerable system.
- Risk: High – This vulnerability can be exploited by a low-privileged remote attacker, meaning the barrier to entry for an attacker is low. This significantly increases the likelihood of widespread exploitation.
vendor:=Apache AND product:=HTTPD AND version:>0 AND version:=2.4.66Several vulnerabilities affecting Apple’s device ecosystem have been weaponized into an exploit chain known as Coruna. These vulnerabilities enable remote code execution and payload deployment when a user visits a malicious website.
The exploit chain is known to include at least 23 vulnerabilities targeting iOS 13.0 up to version 17.2.1.
This exploit chain is known to have been used by at least one commercial surveillance vendor and suspected state-sponsored actors. In 2025, it was observed being used by financially motivated threat actors from China. In March 2026, the chain and related exploit kit tooling was leaked publicly and is now available for use by a wider range of malicious actors.
(os:="apple ios" OR os:="apple ipados" ) AND ((osversion:>="17.0" AND osversion:<"17.5") OR (osversion:>="16.0" AND osversion:<"16.7.8") OR (osversion:>="15.0" AND osversion:<"15.7.8") OR (osversion:>="13.0" AND osversion:<"14.7"))Several vulnerabilities affecting Apple’s device ecosystem have been weaponized into an exploit chain known as DarkSword. These vulnerabilities enable remote code execution and payload deployment when a user visits a malicious website.
This exploit chain is known to have been used by multiple commercial surveillance vendors and suspected state-sponsored actors. In March 2026, the chain and related exploit kit tooling was leaked publicly and is now available for use by a wider range of malicious actors.
There are 6 vulnerabilities known to be part of the DarkSword exploit chain:
- CVE-2025-14174 - Memory corruption vulnerability in ANGLE, patched in 18.7.3 and 26.2
- CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore, patched in 18.6
- CVE-2025-43510 - Memory management vulnerability in the iOS kernel, patched in 18.7.2 and 26.1
- CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel, patched in 18.7.2 and 26.1
- CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore, patched in 18.7.3 and 26.2
- CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld, patched in 26.3
(os:="apple ios" OR os:="apple ipados" OR os:="apple tvos" OR os:="apple macos" OR os:="apple watchos" OR os:="apple visionos") AND osversion:>0 AND ( (osversion:>="26.0" AND osversion:<"26.3") OR (osversion:>="18.0" AND osversion:<"18.7.3") )Apple TVs running versions prior to 11.4 are affected by multiple vulnerabilities, potentially leading to remote code execution.
os:"Apple tvOS" AND osversion:>0 AND osversion:<11.4Apple TVs running versions prior to 13.3.1 are affected by multiple vulnerabilities, potentially leading to remote code execution.
os:"Apple tvOS" AND osversion:>0 AND osversion:<13.3.1Apple TVs running versions prior to 15.2 are affected by multiple vulnerabilities, potentially leading to remote code execution.
os:"Apple tvOS" AND osversion:>0 AND osversion:<15.2Certain versions of the Arcserve Unified Data Protection (UDP) are affected by pre-auth heap-based overlow vulnerabilities (CVE-2025-34522 and CVE-2025-34523). Successful exploitation of CVE-2025-34522 or CVE-2025-34523 would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise. Successful exploitation of CVE-2025-34520 would allow an unauthenticated adversary to perform administrator functions, potentially compromising the integrity of a vulnerable system.
The following versions are affected
- Unified Data Protection versions 8.0 through 10.1.
- All versions prior to 8.0
vendor:=Arcserve AND product:=UDP AND version:>0 AND version:<10.2Atlassian Confluence Data Center and Server versions 5.2 through 7.19.22 are affected by a remote code execution vulnerability.
- This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions. See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html You can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives. This vulnerability was found internally.
vendor:=Atlassian AND product:Confluence AND (version:>=5.2 AND version:<7.19.22)Cisco ConfD and ConfD Basic embed the Erlang OTP SSH server. This SSH server contains a vulnerability in its handling of SSH messages. An attacker who is able to successfully exploit this vulnerability would be able to execute arbitrary code with the privileges of the SSH server process.
The following products are affected
- Cisco ConfD
- Cisco ConfD Basic
vendor:="Cisco" AND product:="ConfD" AND ( (version:>"7.0.0.0" AND version:<"7.7.19.1") OR (version:>"8.0.0.0" AND version:<"8.0.17.1") OR (version:>"8.1.0.0" AND version:<"8.1.16.2") OR (version:>"8.2.0.0" AND version:<"8.2.11.1") OR (version:>"8.3.0.0" AND version:<"8.3.8.1") OR (version:>"8.4.0.0" AND version:<"8.4.4.1"))Certain versions of Cisco IOS XE for Wireless LAN Controllers contain a vulnerability that would allow a remote, unauthenticated attacker to upload arbitrary files. Successfully exploiting this vulnerability would allow an attacker to execute arbitrary code with root privileges on the vulnerable device.
Note that the Out-of-Band AP Image Download feature must be enabled for a device to be vulnerable;
this feature is not enabled by default.
The following devices are affected
- Catalyst 9800-CL Wireless Controllers for Cloud
- Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
- Catalyst 9800 Series Wireless Controllers
- Embedded Wireless Controller on Catalyst APs
os:="Cisco IOS XE" AND hw:"Catalyst" AND ( (osversion:>="17.7.0" AND osversion:<="17.7.1") OR (osversion:>="17.10.0" AND osversion:<="17.10.1") OR (osversion:>="17.8.0" AND osversion:<="17.8.1") OR (osversion:>="17.9.0" AND osversion:<="17.9.5") OR (osversion:>="17.11.0" AND osversion:<="17.11.1") OR (osversion:>="17.12.0" AND osversion:<="17.2.3") OR (osversion:>="17.13.0" AND osversion:<="17.13.1") OR (osversion:>="17.14.0" AND osversion:<="17.14.1") OR (osversion:>="17.11.0" AND osversion:<="17.11.99") )A path traversal vulnerability in Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files, which, when expanded by the target server, result in Remote Code Execution.
The following versions are affected:
- 11.38.0 through 11.38.19
vendor:="Commvault" AND product:="Command Center" AND version:>"11.38.0" AND version:<"11.38.20"DrayTek Vigor2960 and Vigor300B routers contain a vulnerability that would allow a remote, unauthenticated attacker to inject arbitrary commands to be run on the underlying operating system. Successfully exploiting this vulnerability would allow an attacker to execute arbitrary code on the vulnerable device.
There is evidence that this vulnerability is being actively exploited in the wild.
The following devices are affected
- DrayTek Vigor2960 routers running firmware versions prior to 1.5.1.5.
- DrayTek Vigor400B routers running firmware versions prior to 1.5.1.5.
(hw:"DrayTek Vigor2960" OR hw:"DrayTek Vigor300b" OR hw:"DrayTek Vigor 2960" OR hw:"DrayTek Vigor 300b") AND osversion:>0 AND osversion:<"1.5.1.5"Erlang OTP (Open Telecom Platform)’s embedded SSH server contains a vulnerability in its handling of SSH messages. An attacker who is able to sucessfully exploit this vulnerability would be able to execute arbitrary code with the privileges of the Erlang process.
The following versions are affected
- Erlang/OTP versions 27.x prior to 27.3.3
- Erlang/OTP versions 26.x prior to 26.2.5.11
- Erlang/OTP versions 25.x prior to 25.3.2.20
Earlier versions of the OTP platform may be affected but are no longer supported.
_asset.protocols:ssh AND vendor:="Erlang" AND product:="SSH" AND ((version:>=5.2.0 AND version:<5.2.10) OR (version:>4.0.0.0 AND version:<4.15.3.12) OR (version:>5.1.0.0 AND version:<5.1.4.7))Certain versions of Fortra GoAnywhere Managed File Transfer (MFT) are affected by a deserialization of untrusted data vulnerability in the license servlet. Successful exploitation allows a remote, unauthenticated adversary to achieve arbitrary command injection by providing a “validly forged license response signature” with an adversary-controlled object. There is evidence that this vulnerability is being actively exploited in the wild.
The following versions are affected
- GoAnywhere MFT versions prior to 7.8.4, excluding the Sustain Release version 7.6.3
vendor:=Fortra AND product:="GoAnywhere Managed File Transfer" AND (version:>0 AND version:<7.8.4 AND NOT version:=7.6.3)HPE OneView is an integration IT infrastructure management platform.
Certain versions of HPE OneView are affected by a remote code execution vulnerability. Successful exploitation of this vulnerability would allow a remote, unauthenticated attacker to execute arbitrary code on the vulnerable system.
There is evidence that this vulnerability is being actively exploited in the wild.
The following versions are affected
- HPE OneView versions 10.20 and prior
This vulnerability has been given a severity of Critical because
- This vulnerability allows for remote code execution on a vulnerable system.
- This vulnerability is exploitable remotely and without authentication.
vendor:="HPE" AND product:="OneView" AND version:>0 AND version:<=10.20Certain versions of the Langflow framework contain an authentication-bypass vulnerability. Successfully exploiting this vulnerability would allow a remote, unauthenticated attacker to execute arbitrary code on the vulnerable system.
Note that there is evidence that this vulnerability is being exploited in the wild.
The following versions are vulnerable
- Langflow versions prior to 1.3.0
_asset.protocol:=http AND vendor:=Langflow AND product:=Langflow AND (version:>0 AND version:<1.3.0)Monsta FTP is a web-based File Transfer Protocol (FTP) client, written in PHP and JavaScript, that is installed on a web server to manage the site’s files directly through a web browser instead of using a traditional desktop client application.
Certain versions of Monsta FTP are affected by an unrestricted file upload vulnerability. This flaw allows dangerous file types to be automatically processed within the application’s environment, resulting in remote code execution (RCE). Successful exploitation allows a remote, unauthenticated adversary to upload a specially crafted file from a malicious SFTP or FTP server and subsequently execute arbitrary code on the server.
The following versions are affected
- Monsta FTP versions prior to 2.11.3
This vulnerability is rated Critical because
- This vulnerability would allow an attacker to execute arbitrary code on a vulnerable system.
- This vulnerability can be exploited remotely without authentication.
vendor:="Monsta Limited" AND product:="Monsta FTP" AND version:>0 AND version:<2.11.3PAN-OS is the proprietary operating system that powers all Palo Alto Networks Next-Generation Firewalls (NGFW) across physical, virtual, and cloud environments. It uses a Single-Pass Parallel Processing (SP3) architecture to provide deep visibility and control over network traffic by identifying applications, users, and content simultaneously.
Several versions of Palo Alto Networks PAN-OS are vulnerable to a high buffer overflow during IKEv2 handling. A remote, unauthenticated attacker can exploit this over the network to either gain elevated code execution or disrupt services entirely.
The following versions are affected
- PAN-OS versions 12.1.5 through 12.1.6, 12.1.2 through 12.1.4-h*.
- PAN-OS 11.2 versions 11.2.11 or later, 11.2.8 through 11.2.10-h*, 11.2.5 through 11.2.7-h*, or 11.2.0 through 11.2.4-h*.
- PAN-OS 11.1 versions 11.1.14 or later, 11.1.11 through 11.1.13-h*, 11.1.8 through 11.1.10-h*, 11.1.7 through 11.1.7-h*, 11.1.5 through 11.1.6-h*, 11.1.0 through 11.1.4-h*.
Note: This vulnerability only affects PA-Series hardware.
Severity & Risk Assessment
- Severity: High – Successful exploitation could allow an attacker to potentially execute arbitrary code on the vulnerable system.
- Risk: High – This vulnerability can be exploited by an unauthenticated remote attacker, meaning the barrier to entry for an attacker is low. This significantly increases the likelihood of widespread exploitation.
hw:="Palo Alto Networks" AND os:="Palo Alto Networks PAN-OS%" AND os_version:>0 AND ((os_version:>="12.1.5" AND os_version:<"12.1.7") OR (os_version:>="12.1.2" AND os_version:<"12.1.4-h5") OR (os_version:>="11.2.11" AND os_version:<"11.2.12") OR (os_version:>="11.2.8" AND os_version:<"11.2.10-h6") OR (os_version:>="11.2.5" AND os_version:<"11.2.7-h13") OR (os_version:>="11.2.0" AND os_version:<"11.2.4-h17") OR (os_version:>="11.1.14" AND os_version:<"11.1.15") OR (os_version:>="11.1.11" AND os_version:<"11.1.13-h5") OR (os_version:>="11.1.8" AND os_version:<"11.1.10-h25") OR (os_version:>="11.1.7" AND os_version:<"11.1.7-h6") OR (os_version:>="11.1.5" AND os_version:<"11.1.6-h32") OR (os_version:>="11.1.0" AND os_version:<"11.1.4-h33"))Roundcube Webmail stable version 1.5 prior to 1.5.10 and stable version 1.6 prior to 1.6.11 allow an authenticated user to perform remote code execution (RCE) due to deserialization of untrusted data. The _from parameter in a URL is not validated in program/actions/settings/upload.php, resulting in PHP Object Deserialization. This vulnerability has existed within the product for 10 years.
vendor:=Roundcube AND product:=Webmail AND ((version:>=1.5 AND version:<1.5.10) OR (version:>=1.6 AND version:<1.6.11))A missing authentication check within the Visual Composer Metadata Uploader could allow a remote unauthenticated attacker to upload malicious files, such as webshells, to a vulnerable target. They could then directly execute the shells via GET request potentially resulting in system compromise.
- SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system. (CVE-2025-31324)
vendor:="SAP" AND product:"NetWeaver" AND (version:>7.0 AND version:<7.55)Certain versions of Samsung’s MagicINFO Server contain a path-traversal vulnerability when processing
binary uploads. Successfully exploiting this vulnerability would allow an attacker to upload binary
files that are later executed with SYSTEM privileges, allowing total control over the vulnerable
system.
There is evidence that this vulnerability is being actively exploited in the wild.
The following versions are affected
- Samsung MagicINFO Server versions prior to 21.1052
vendor:="Samsung" AND product:"MagicINFO Server" AND version:>0 AND version:<"21.1052"Apache Solr versions 5.0.0 through 8.3.1 allow an unauthenticated attacker to send specially-crafted requests to the underlying Velocity template library leading to remote code execution.
- Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the
VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a
configset
velocity/directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by settingparams.resource.loader.enabledby defining a response writer with that setting set totrue. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset istrusted(has been uploaded by an authenticated user).
vendor:=Apache AND product:Solr AND (version:>=5.0.0 AND version:<8.4.0)Certain versions of SysAid Help Desk contain multiple vulnerabilities in the processing of user-controlled XML input. Successfully exploiting these vulnerabilities would allow an attacker to execute arbitrary code with the privileges of the SysAid process.
The following versions are affected
- SysAid Help Desk versions prior to 24.4.60
vendor:="SysAid" AND product:"Help Desk" AND version:>0 AND version:<24.4.60Certain versions of Trimble’s Cityworks GIS and public infrastructure management software contain a vulnerability in the handling of file uploads. This vulnerability would allow a remote, authenticated attacker to execute arbitrary code on the vulnerable system.
There is evidence that this vulnerability is being actively exploited in the wild.
The following versions are affected
- Trimble Cityworks versions prior to 23.10
vendor:="Trimble" AND product:="Cityworks" AND version:>0 AND version:<"23.10"The VMware ESXi host includes a version of the OpenSLP component that is vulnerable to a heap buffer overflow. An attacker within the same network segment could exploit this vulnerability to execute arbitrary code on the system as the root user.
os:="VMware ESX%" and port:427 and ( os_version:="1.%" or os_version:="2.%" or os_version:="3.%" or os_version:="4.%" or os_version:="5.%" or os_version:="6.0%" or os_version:="6.5.0 build-4564106" or os_version:="6.5.0 build-4887370" or os_version:="6.5.0 build-5146843" or os_version:="6.5.0 build-5146846" or os_version:="6.5.0 build-5224529" or os_version:="6.5.0 build-5310538" or os_version:="6.5.0 build-5969300" or os_version:="6.5.0 build-5969303" or os_version:="6.5.0 build-6765664" or os_version:="6.5.0 build-7273056" or os_version:="6.5.0 build-7388607" or os_version:="6.5.0 build-7967591" or os_version:="6.5.0 build-8285314" or os_version:="6.5.0 build-8294253" or os_version:="6.5.0 build-8935087" or os_version:="6.5.0 build-9298722" or os_version:="6.5.0 build-10175896" or os_version:="6.5.0 build-10390116" or os_version:="6.5.0 build-10719125" or os_version:="6.5.0 build-10868328" or os_version:="6.5.0 build-10884925" or os_version:="6.5.0 build-11925212" or os_version:="6.5.0 build-13004031" or os_version:="6.5.0 build-13635690" or os_version:="6.5.0 build-13873656" or os_version:="6.5.0 build-13932383" or os_version:="6.5.0 build-14320405" or os_version:="6.5.0 build-14874964" or os_version:="6.5.0 build-14990892" or os_version:="6.5.0 build-15256468" or os_version:="6.5.0 build-15177306" or os_version:="6.5.0 build-15256549" or os_version:="6.5.0 build-16207673" or os_version:="6.5.0 build-16389870" or os_version:="6.5.0 build-16576879" or os_version:="6.5.0 build-16576891" or os_version:="6.5.0 build-16901156" or os_version:="6.5.0 build-17097218" or os_version:="6.5.0 build-17167537" or os_version:="6.7.0 build-8169922" or os_version:="6.7.0 build-8941472" or os_version:="6.7.0 build-9214924" or os_version:="6.7.0 build-9484548" or os_version:="6.7.0 build-10176752" or os_version:="6.7.0 build-10176879" or os_version:="6.7.0 build-10302608" or os_version:="6.7.0 build-10764712" or os_version:="6.7.0 build-11675023" or os_version:="6.7.0 build-13004448" or os_version:="6.7.0 build-12986307" or os_version:="6.7.0 build-13006603" or os_version:="6.7.0 build-13473784" or os_version:="6.7.0 build-13644319" or os_version:="6.7.0 build-13981272" or os_version:="6.7.0 build-14141615" or os_version:="6.7.0 build-14320388" or os_version:="6.7.0 build-15018017" or os_version:="6.7.0 build-15160134" or os_version:="6.7.0 build-15160138" or os_version:="6.7.0 build-15999342" or os_version:="6.7.0 build-15820472" or os_version:="6.7.0 build-16075168" or os_version:="6.7.0 build-16316930" or os_version:="6.7.0 build-16701467" or os_version:="6.7.0 build-16713306" or os_version:="6.7.0 build-16773714" or os_version:="6.7.0 build-17167699" or os_version:="6.7.0 build-17098360" or os_version:="6.7.0 build-17167734" or os_version:="7.0.0%" or os_version:="7.0.1 build-16850804" or os_version:="7.0.1 build-17119627" or os_version:="7.0.1 build-17168206" or os_version:="7.0.1 build-17325020")Veeam Backup & Replication is data protection software that supports image-level backup, recovery, and replication for virtual, physical, and cloud machines.
Multiple vulnerabilities have been identified across versions 12.3.x and 13.0.x that could allow for remote code execution (RCE), privilege escalation, and credential theft.
Version 12.3.x Vulnerabilities
- CVE-2026-21666 & CVE-2026-21667: Allows a remote, low-privileged authenticated domain user to perform RCE on the Backup Server.
- CVE-2026-21668: Allows a remote, low-privileged authenticated domain user to bypass restrictions and manipulate arbitrary files on a Backup Repository.
Version 13.0.x Vulnerabilities
- CVE-2026-21669: Allows a remote, low-privileged authenticated domain user to perform RCE on Windows-based Backup Servers.
- CVE-2026-21670: Allows a remote, low-privileged user to extract saved SSH credentials from Windows-based servers or the Veeam Software Appliance.
- CVE-2026-21671: Allows a remote, high-privileged user with the “Backup Administrator” role to perform RCE in high availability (HA) deployments.
Vulnerabilities Affecting Both 12.3.x and 13.0.x
- CVE-2026-21672: A vulnerability allowing local privilege escalation on Windows-based Backup Servers.
- CVE-2026-21708: Allows a remote, low-privileged user with the “Backup Viewer” role to perform RCE as the
postgresuser.
The following versions are affected
- Veeam Backup & Replication versions 12.3.x prior to 12.3.2.4465
- Veeam Backup & Replication versions 13.0.x prior to 13.0.1.2067
vendor:=Veeam AND (product:="Backup & Replication" OR product:="Veeam Backup & Replication") AND ((version:>=12.3 AND version:<12.3.2.4465) OR (version:>=13.0 AND version:<13.0.1.2067))Veeam Backup & Replication is data protection software that supports image-level backup, recovery, and replication for virtual, physical, and cloud machines.
Certain versions of Veeam Backup & Replication are affected by two remote code execution (RCE) vulnerabilities in different components. These allow a remote, low-privileged adversary (authenticated domain user) to execute arbitrary code in the following ways:
- Via a vulnerability in the Mount service on domain-joined backup infrastructure servers (CVE-2025-48983).
- Via a vulnerability in domain-joined backup servers (CVE-2025-48984).
The following versions are affected
- Veeam Backup & Replication versions 12.x prior to 12.3.2.4165
Currently, runZero prebuilt integrations can identify these findings.
vendor:=Veeam AND (product:="Backup & Replication" OR product:="Veeam Backup & Replication") AND (version:>0 AND version:>=12 AND version:<12.3.2.4165)Devices using a vulnerable version of Apple’s AirPlay SDK potentially allow a local attacker the
ability to remotely execute code on third-party devices. Successful exploitation could lead to
information disclosure through eavesdropping on devices with a microphone.
- The issue was addressed with improved memory handling. This issue is fixed in AirPlay audio
SDK 2.7.1, AirPlay video SDK 3.6.0.126, CarPlay Communication Plug-in R18.1. An attacker on
the local network may cause an unexpected app termination. (CVE-2025-24132)
vendor:=Apple AND product:="AirPlay SDK" AND ((version:>2.0 AND version:<2.7.1) OR (version:>3.0 AND version:<3.6.0.126))Apache Tomcat’s handling of partial PUT requests contains a vulnerability when writes are enabled for a default servlet (writes are disabled by default). Depending on further server-side configuration and attacker knowledge of sensitive server-side filenames, this vulnerability could be exploited to achieve remote code execution with the privileges of the Tomcat server, information disclosure, or content injection.
The following versions are affected
- Apache Tomcat 11.0.0-M1 to 11.0.2
- Apache Tomcat 10.1.0-M1 to 10.1.34
- Apache Tomcat 9.0.0-M1 to 9.0.98
_asset.products:"Tomcat" AND product:"Tomcat" AND ((version:>=11.0.0 AND version:<11.0.3) OR (version:>=10.1.0 AND version:<10.1.35) OR (version:>=9.0.0 AND version:<9.0.99))Dell published a Security Advisory for Dell Unity, Unity VSA, and Unity XT products containing multiple vulnerabilities that could allow an unauthenticated remote attacker to compromise affected assets including arbitrary command execution as the root user, which could lead to a complete system take over.
- Dell Unity, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution as root. Exploitation may lead to a system take over by an attacker. This vulnerability is considered critical as it can be leveraged to completely compromise the operating system. Dell recommends customers to upgrade at the earliest opportunity. (CVE-2025-22398)
- Dell Unity, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability to delete arbitrary files. This vulnerability is considered critical as it can be leveraged to delete critical system files as root. Dell recommends customers to upgrade at the earliest opportunity. (CVE-2025-24383)
- Dell Unity, version(s) 5.4 and prior, contain(s) an URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to a targeted application user being redirected to arbitrary web URLs. The vulnerability could be leveraged by attackers to conduct phishing attacks that cause users to divulge sensitive information. Exploitation may allow for session theft. (CVE-2025-24381)
os:"EMC Unity" AND osversion:>0 AND osversion:<5.5.0.0.0.5.259Forinet FortiVoice contains a vulnerability in its administrative interface that may allow an authenticated user to inject arbitrary SQL statements. Successful exploitation of this vulnerability could allow an attacker to modify the configuration of the vulnerable device and potentially execute arbitrary code.
The following versions are affected
- FortiVoice 7.0 versions 7.0.0 through 7.0.7
- FortiVoice 7.2 versions 7.2.0 through 7.2.2
hw:="Fortinet%" AND type:="SIP Gateway" AND ((osversion:>"7.2.0" AND osversion:<"7.2.3") OR (osversion:>"7.0.0" AND osversion:<"7.0.8"))Lantronix Xport devices are affected by a missing authentication vulnerability, potentially leading to an authentication bypass. Successful exploitation could lead to disruption to monitoring and operations.
The following product versions are affected: Xport versions 6.5.0.7 through 7.0.0.3
hw:lantronix AND ((os:="Lantronix XPort%" AND not os:="Lantronix XPort Edge%") OR (lantronix.type:="XE" OR lantronix.type:="SE" OR lantronix.type:="AR" OR lantronix.type:="EH"))Fortinet FortiOS is a custom operating system common to many Fortinet products.
Multiple Fortinet products running FortiOS contain an buffer overflow vulnerability in the logic handling the CAPWAP protocol.
Successful exploitation of this vulnerability would allow for a remote unauthenticated attacker to execute arbitrary commands.
The following versions are affected
- FortiOS 7.6 versions 7.6.0 through 7.6.3
- FortiOS 7.4 versions 7.4.0 through 7.4.8
- FortiOS 7.2 versions 7.2.0 through 7.2.11
- FortiOS 7.0 versions 7.0.0 through 7.0.17
- FortiOS 6.4 versions 6.4.0 through 6.4.16
os:="Fortinet FortiOS" AND os_version:>0 AND ((os_version:>="7.6.0" AND os_version:<="7.6.3") OR (os_version:>="7.4.0" AND os_version:<="7.4.8") OR (os_version:>="7.2.0" AND os_version:<="7.2.11") OR (os_version:>="7.0.0" AND os_version:<="7.0.17") OR (os_version:>="6.4.0" AND os_version:<="6.4.16"))Certain versions of Microsoft SQL Server are affected by multiple vulnerabilities:
-
SQL Server is affected by a heap-based buffer overflow vulnerability that may allow an authorized adversary to escape the SQL server context and remotely execute code on the target host. Successful exploitation of the vulnerability requires the adversary to prepare the target environment prior to executing a specially crafted query (CVE-2025-49717).
-
SQL Server is affected by an information disclosure vulnerability due its use of an uninitialized resource. Successful exploitation may allow an unauthorized adversary to remotely inspect heap memory from a privileged process running on the target host (CVE-2025-49718).
-
SQL Server is affected by an information disclosure vulnerability due to improper input validation. Successful exploitation may allow an unauthorized adversary to remotely inspect uninitialized memory on the target host (CVE-2025-49719).
The following versions are affected by CVE-2025-49717 & CVE-2025-49718
- Microsoft SQL Server 2019 (GDR) versions 15.x prior to 15.0.2135.5
- Microsoft SQL Server 2019 (CU 32) versions 15.x prior to 15.0.4435.7
- Microsoft SQL Server 2022 (GDR) versions 16.x prior to 16.0.4200.1
- Microsoft SQL Server 2022 (CU 19) versions 16.x prior to 16.0.1140.6
The following versions are affected by CVE-2025-49719
- Microsoft SQL Server 2016 for Service Pack 2 (GDR) versions 13.x prior to 13.0.6460.7
- Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature Pack versions 13.x prior to 13.0.7055.9
- Microsoft SQL Server 2017 (GDR) versions 14.x prior to 14.0.2075.8
- Microsoft SQL Server 2017 (CU 31) versions 14.x prior to 14.0.3495.9
- Microsoft SQL Server 2019 (GDR) versions 15.x prior to 15.0.2135.5
- Microsoft SQL Server 2019 (CU 32) versions 15.x prior to 15.0.4435.7
- Microsoft SQL Server 2022 (GDR) versions 16.x prior to 16.0.4200.1
- Microsoft SQL Server 2022 (CU 19) versions 16.x prior to 16.0.1140.6
vendor:=Microsoft AND (product:="SQL Server" OR product:="SQL Server 20%") AND ((version:>=13.0.0 AND version:<13.0.6460.7 AND NOT version:="13.0.6460") OR (version:>=14.0.0 AND version:<14.0.3495.9 AND NOT version:="14.0.3495") OR (version:>=15.0.0 AND version:<15.0.4435.7 AND NOT version:="15.0.4435") OR (version:>=16.0.0 AND version:<16.0.4200.1 AND NOT version:="16.0.4200"))Certain versions of Redis are affected by multiple vulnerabilities in the Lua scripting functionality:
-
A remote, low-privileged adversary may use a specially crafted Lua script to manipulate the garbage collector, triggering a use-after-free vulnerability that could lead to remote code execution (RCE) (CVE-2025-49844).
-
A local, low-privileged adversary may use a specially crafted Lua script to cause an integer overflow that could lead to RCE (CVE-2025-46817).
-
A local, low-privileged adversary may use a specially crafted Lua script to manipulate different Lua objects and potentially execute arbitrary code in the context of another user (CVE-2025-46818).
-
A local, low-privileged adversary may use a specially crafted Lua script to read out-of-bounds data or crash the server causing a denial-of-service (DoS) (CVE-2025-46819).
The following Redis OSS (Open Source Software), Community Edition (CE) and Stack releases are affected
- Redis OSS/CE 6.2.x versions prior to 6.2.20
- Redis OSS/CE 7.2.x versions prior to 7.2.11
- Redis OSS/CE 7.4.x versions prior to 7.4.6
- Redis OSS/CE 8.0.x versions prior to 8.0.4
- Redis OSS/CE 8.2.x versions prior to 8.2.2
- Redis Stack 7.2.x versions prior to 7.2.0-v19
- Redis Stack 7.4.x versions prior to 7.4.0-v7
The following Redis Enterprise software releases are affected
- Redis 6.4.x versions prior to 6.4.2-131
- Redis 7.2.x versions prior to 7.2.4-138
- Redis 7.4.x versions prior to 7.4.6-272
- Redis 7.8.x versions prior to 7.8.6-207
- Redis 7.22.x versions prior to 7.22.2-12
This vulnerability has been given a severity of Critical because
- Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code on the vulnerable system.
This vulnerability has been given a risk of Medium because
- Exploitation of this vulnerability requires authentication.
vendor:=Redis AND product:=Redis AND (version:>0 AND ( (version:>=6.2 AND version:<6.2.20) OR (version:>=7.2 AND version:<7.2.11) OR (version:>=7.4 AND version:<7.4.6) OR (version:>=8.0 AND version:<8.0.4) OR (version:>=8.2 AND version:<8.2.2)))Certain versions of LF Projects’ Valkey are affected by multiple vulnerabilities in its Lua scripting functionality, mirroring vulnerabilities also found in Redis. As an open-source fork of Redis, Valkey shares a significant portion of the same codebase.
-
A remote, low-privileged adversary may use a specially crafted Lua script to manipulate the garbage collector, triggering a use-after-free vulnerability that could lead to remote code execution (RCE) (CVE-2025-49844).
-
A local, low-privileged adversary may use a specially crafted Lua script to cause an integer overflow that could lead to RCE (CVE-2025-46817).
-
A local, low-privileged adversary may use a specially crafted Lua script to manipulate different Lua objects and potentially execute arbitrary code in the context of another user (CVE-2025-46818).
-
A local, low-privileged adversary may use a specially crafted Lua script to read out-of-bounds data or crash the server causing a denial-of-service (DoS) (CVE-2025-46819).
The following Valkey releases are affected
- Valkey 7.2.x versions prior to 7.2.11
- Valkey 8.0.x versions prior to 8.0.6
- Valkey 8.1.x versions prior to 8.1.4
This vulnerability has been given a severity of Critical because
- Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code on the vulnerable system.
This vulnerability has been given a risk of Medium because
- Exploitation of this vulnerability requires authentication.
(vendor:=valkey OR vendor:="Fedora Project") AND product:=valkey AND (version:>0 AND ( (version:>=7.2 AND version:<7.2.11) OR (version:>=8.0 AND version:<8.0.6) OR (version:>=8.1 AND version:<8.1.4)))lighttpd versions prior to 1.4.50 are affected by multiple vulnerabilities
- A path traversal vulnerability in
mod_alias - A use-after-free memory corruption vulnerability in the core server
product:lighttpd (_service.product:=lighttpd:lighttpd:1.4.0% OR _service.product:=lighttpd:lighttpd:1.4.1% OR _service.product:=lighttpd:lighttpd:1.4.2% OR _service.product:=lighttpd:lighttpd:1.4.3% OR _service.product:=lighttpd:lighttpd:1.4.4%)Certain versions of ConnectWise ScreenConnect may be susceptible to ViewState code injection attacks in ASP.NET Web Forms. The ViewState is used to preserve page state, values of controls and properties, across multiple requests. The data is encoded using Base64 and protected by machine keys. It is important to note that to obtain these machine keys, it typically requires privileged system level access. If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server.
This issue could potentially impact any product utilizing ASP.NET framework ViewStates. There is evidence that this vulnerability is being actively exploited in the wild.
The following versions are affected
- ConnectWise ScreenConnect versions prior to 25.2.4
vendor:=ConnectWise AND product:=ScreenConnect AND (version:>0 AND version:<25.2.4)Certain versions of the Squid caching proxy are vulnerable to a heap-based buffer overflow due to incorrect buffer management when processing a Uniform Resource Name (URN). This vulnerability allows a remote server to perform a buffer overflow attack by delivering specially crafted URN Trivial-HTTP responses. Successful exploitation may lead to remote code execution (RCE) or the disclosure of up to 4KB of data from Squid’s allocated heap memory. This leaked memory may contain security credentials or other confidential data.
The following versions are affected
- Squid 2.x versions up to and including 2.7.STABLE9
- Squid 3.x versions up to and including 3.5.28
- Squid 4.x versions up to and including 4.17
- Squid 5.x versions up to and including 5.9
- Squid 6.x versions up to and including 6.3
vendor:="Squid Cache" AND product:=Squid AND (version:>0 AND version:<6.4)Findings are created through three sources:
-
Query-based: These findings are identified through specific queries defined within the system (see list below).
-
Nuclei-generated: These findings result from scans where default credentials and vulnerability checks are enabled, leveraging Nuclei templates (see templates).
-
KEV (Known Exploited Vulnerabilities): These findings are triggered when a discovered vulnerability is present on the CISA Known Exploited Vulnerabilities (KEV) catalog or VulnCheck KEV.