Total
146 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-56513 | 2025-10-03 | N/A | 9.8 CRITICAL | ||
| NiceHash QuickMiner 6.12.0 perform software updates over HTTP without validating digital signatures or hash checks. An attacker capable of intercepting or redirecting traffic to the update url and can hijack the update process and deliver arbitrary executables that are automatically executed, resulting in full remote code execution. This constitutes a critical supply chain attack vector. | |||||
| CVE-2024-39819 | 1 Zoom | 3 Meeting Software Development Kit, Rooms, Workplace Desktop | 2025-10-02 | N/A | 6.7 MEDIUM |
| Integrity check in the installer for some Zoom Workplace Apps and SDKs for Windows may allow an authenticated user to conduct a privilege escalation via local access. | |||||
| CVE-2025-34212 | 2025-10-02 | N/A | N/A | ||
| Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.843 and Application prior to version 20.0.1923 (VA/SaaS deployments) possess CI/CD weaknesses: the build pulls an unverified third-party image, downloads the VirtualBox Extension Pack over plain HTTP without signature validation, and grants the jenkins account NOPASSWD for mount/umount. Together these allow supply chain or man-in-the-middle compromise of the build pipeline, injection of malicious firmware, and remote code execution as root on the CI host. This vulnerability has been identified by the vendor as: V-2023-007 — Supply Chain Attack. | |||||
| CVE-2025-11182 | 2025-10-02 | N/A | 6.5 MEDIUM | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Download of Code Without Integrity Check vulnerability in GTONE ChangeFlow allows Path Traversal.This issue affects ChangeFlow: All versions to v9.0.1.1. | |||||
| CVE-2024-52331 | 1 Ecovacs | 28 Airbot Andy, Airbot Andy Firmware, Airbot Ava and 25 more | 2025-10-02 | N/A | 7.5 HIGH |
| ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot. | |||||
| CVE-2024-33660 | 1 Ami | 1 Aptio V | 2025-10-02 | N/A | 4.3 MEDIUM |
| An exploit is possible where an actor with physical access can manipulate SPI flash without being detected. | |||||
| CVE-2025-30199 | 1 Ecovacs | 26 Deebot T10, Deebot T10 Firmware, Deebot T10 Omni and 23 more | 2025-09-23 | N/A | 7.2 HIGH |
| ECOVACS vacuum robot base stations do not validate firmware updates, so malicious over-the-air updates can be sent to base station via insecure connection between robot and base station. | |||||
| CVE-2025-57431 | 2025-09-22 | N/A | 8.8 HIGH | ||
| The Sound4 PULSE-ECO AES67 1.22 web-based management interface is vulnerable to Remote Code Execution (RCE) via a malicious firmware update package. The update mechanism fails to validate the integrity of manual.sh, allowing an attacker to inject arbitrary commands by modifying this script and repackaging the firmware. | |||||
| CVE-2024-55459 | 1 Keras | 1 Keras | 2025-09-22 | N/A | 6.5 MEDIUM |
| An issue in keras 3.7.0 allows attackers to write arbitrary files to the user's machine via downloading a crafted tar file through the get_file function. | |||||
| CVE-2025-9319 | 2025-09-15 | N/A | 7.5 HIGH | ||
| A potential vulnerability was reported in the Lenovo Wallpaper Client that could allow arbitrary code execution under certain conditions. | |||||
| CVE-2025-55581 | 1 Dlink | 2 Dcs-825l, Dcs-825l Firmware | 2025-09-12 | N/A | 7.3 HIGH |
| D-Link DCS-825L firmware version 1.08.01 and possibly prior versions contain an insecure implementation in the mydlink-watch-dog.sh script. The script monitors and respawns the `dcp` and `signalc` binaries without validating their integrity, origin, or permissions. An attacker with filesystem access (e.g., via UART or firmware modification) may replace these binaries to achieve persistent arbitrary code execution with root privileges. The issue stems from improper handling of executable trust and absence of integrity checks in the watchdog logic. | |||||
| CVE-2025-55582 | 1 Dlink | 2 Dcs-825l, Dcs-825l Firmware | 2025-09-09 | N/A | 6.6 MEDIUM |
| D-Link DCS-825L firmware v1.08.01 contains a vulnerability in the watchdog script `mydlink-watch-dog.sh`, which blindly respawns binaries such as `dcp` and `signalc` without verifying integrity, authenticity, or permissions. An attacker with local filesystem access (via physical access, firmware modification, or debug interfaces) can replace these binaries with malicious payloads. The script executes these binaries as root in an infinite loop, leading to persistent privilege escalation and arbitrary code execution. This issue is mitigated in v1.09.02, but the product is officially End-of-Life and unsupported. | |||||
| CVE-2024-47192 | 1 Mahara | 1 Mahara | 2025-09-05 | N/A | 5.3 MEDIUM |
| An issue was discovered in Mahara 23.04.8 and 24.04.4. The use of a malicious export download URL can allow an attacker to download files that they do not have permission to download. | |||||
| CVE-2025-35115 | 1 Atlassian | 1 Agiloft | 2025-09-02 | N/A | 8.1 HIGH |
| Agiloft Release 28 downloads critical system packages over an insecure HTTP connection. An attacker in a Man-In-the-Middle position could replace or modify the contents of the download URL. Users should upgrade to Agiloft Release 30. | |||||
| CVE-2025-31355 | 1 Tenda | 2 Ac6, Ac6 Firmware | 2025-08-21 | N/A | 7.2 HIGH |
| A firmware update vulnerability exists in the Firmware Signature Validation functionality of Tenda AC6 V5.0 V02.03.01.110. A specially crafted malicious file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. | |||||
| CVE-2025-53520 | 2025-08-08 | N/A | 8.8 HIGH | ||
| The affected product allows firmware updates to be downloaded from EG4's website, transferred via USB dongles, or installed through EG4's Monitoring Center (remote, cloud-connected interface) or via a serial connection, and can install these files without integrity checks. The TTComp archive format used for the firmware is unencrypted and can be unpacked and altered without detection. | |||||
| CVE-2024-39348 | 1 Synology | 1 Router Manager | 2025-08-07 | N/A | 7.5 HIGH |
| Download of code without integrity check vulnerability in AirPrint functionality in Synology Router Manager (SRM) before 1.2.5-8227-11 and 1.3.1-9346-8 allows man-in-the-middle attackers to execute arbitrary code via unspecified vectors. | |||||
| CVE-2022-40799 | 1 Dlink | 2 Dnr-322l, Dnr-322l Firmware | 2025-08-06 | N/A | 8.8 HIGH |
| Data Integrity Failure in 'Backup Config' in D-Link DNR-322L <= 2.60B15 allows an authenticated attacker to execute OS level commands on the device. | |||||
| CVE-2025-53696 | 2025-07-29 | N/A | N/A | ||
| iSTAR Ultra performs a firmware verification on boot, however the verification does not inspect certain portions of the firmware. These firmware parts may contain malicious code. Tested up to firmware 6.9.2, later firmwares are also possibly affected. | |||||
| CVE-2025-7620 | 2025-07-15 | N/A | 8.8 HIGH | ||
| The cross-browser document creation component produced by Digitware System Integration Corporation has a Remote Code Execution vulnerability. If a user visits a malicious website while the component is active, remote attackers can cause the system to download and execute arbitrary programs. | |||||