Total
4999 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-50365 | 1 Advantech | 6 Eki-6333ac-1gpo, Eki-6333ac-1gpo Firmware, Eki-6333ac-2g and 3 more | 2026-01-23 | N/A | 7.2 HIGH |
| A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The source of the vulnerability relies on multiple parameters belonging to the "lan_apply" API which are not properly sanitized before being concatenated to OS level commands. | |||||
| CVE-2025-52988 | 1 Juniper | 2 Junos, Junos Os Evolved | 2026-01-23 | N/A | 6.7 MEDIUM |
| An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in the CLI of Juniper Networks Junos OS and Junos OS Evolved allows a high privileged, local attacker to escalated their privileges to root. When a user provides specifically crafted arguments to the 'request system logout' command, these will be executed as root on the shell, which can completely compromise the device. This issue affects: Junos OS: * all versions before 21.2R3-S9, * 21.4 versions before 21.4R3-S8, * 22.2 versions before 22.2R3-S6, * 22.3 versions before 22.3R3-S3, * 22.4 versions before 22.4R3-S6, * 23.2 versions before 23.2R2-S1, * 23.4 versions before 23.4R1-S2, 23.4R2; Junos OS Evolved: * all versions before 22.4R3-S6-EVO, * 23.2-EVO versions before 23.2R2-S1-EVO, * 23.4-EVO versions before 23.4R1-S2-EVO, 23.4R2-EVO. | |||||
| CVE-2024-50366 | 1 Advantech | 6 Eki-6333ac-1gpo, Eki-6333ac-1gpo Firmware, Eki-6333ac-2g and 3 more | 2026-01-23 | N/A | 7.2 HIGH |
| A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The source of the vulnerability relies on multiple parameters belonging to the "applications_apply" API which are not properly sanitized before being concatenated to OS level commands. | |||||
| CVE-2024-50367 | 1 Advantech | 6 Eki-6333ac-1gpo, Eki-6333ac-1gpo Firmware, Eki-6333ac-2g and 3 more | 2026-01-23 | N/A | 7.2 HIGH |
| A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The source of the vulnerability relies on multiple parameters belonging to the "sta_log_htm" API which are not properly sanitized before being concatenated to OS level commands. | |||||
| CVE-2024-50368 | 1 Advantech | 6 Eki-6333ac-1gpo, Eki-6333ac-1gpo Firmware, Eki-6333ac-2g and 3 more | 2026-01-23 | N/A | 7.2 HIGH |
| A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The source of the vulnerability relies on multiple parameters belonging to the "basic_htm" API which are not properly sanitized before being concatenated to OS level commands. | |||||
| CVE-2024-50369 | 1 Advantech | 6 Eki-6333ac-1gpo, Eki-6333ac-1gpo Firmware, Eki-6333ac-2g and 3 more | 2026-01-23 | N/A | 7.2 HIGH |
| A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The source of the vulnerability relies on multiple parameters belonging to the "multiple_ssid_htm" API which are not properly sanitized before being concatenated to OS level commands. | |||||
| CVE-2024-50370 | 1 Advantech | 6 Eki-6333ac-1gpo, Eki-6333ac-1gpo Firmware, Eki-6333ac-2g and 3 more | 2026-01-23 | N/A | 9.8 CRITICAL |
| A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability can be exploited by remote unauthenticated users capable of interacting with the default "edgserver" service enabled on the access point and malicious commands are executed with root privileges. No authentication is enabled on the service and the source of the vulnerability resides in processing code associated to the "cfg_cmd_set_eth_conf" operation. | |||||
| CVE-2024-50371 | 1 Advantech | 6 Eki-6333ac-1gpo, Eki-6333ac-1gpo Firmware, Eki-6333ac-2g and 3 more | 2026-01-23 | N/A | 9.8 CRITICAL |
| A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability can be exploited by remote unauthenticated users capable of interacting with the default "edgserver" service enabled on the access point and malicious commands are executed with root privileges. No authentication is enabled on the service and the source of the vulnerability resides in processing code associated to the "wlan_scan" operation. | |||||
| CVE-2024-50372 | 1 Advantech | 6 Eki-6333ac-1gpo, Eki-6333ac-1gpo Firmware, Eki-6333ac-2g and 3 more | 2026-01-23 | N/A | 9.8 CRITICAL |
| A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability can be exploited by remote unauthenticated users capable of interacting with the default "edgserver" service enabled on the access point and malicious commands are executed with root privileges. No authentication is enabled on the service and the source of the vulnerability resides in processing code associated to the "backup_config_to_utility" operation. | |||||
| CVE-2024-50373 | 1 Advantech | 6 Eki-6333ac-1gpo, Eki-6333ac-1gpo Firmware, Eki-6333ac-2g and 3 more | 2026-01-23 | N/A | 9.8 CRITICAL |
| A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability can be exploited by remote unauthenticated users capable of interacting with the default "edgserver" service enabled on the access point and malicious commands are executed with root privileges. No authentication is enabled on the service and the source of the vulnerability resides in processing code associated to the "restore_config_from_utility" operation. | |||||
| CVE-2024-50374 | 1 Advantech | 6 Eki-6333ac-1gpo, Eki-6333ac-1gpo Firmware, Eki-6333ac-2g and 3 more | 2026-01-23 | N/A | 9.8 CRITICAL |
| A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability can be exploited by remote unauthenticated users capable of interacting with the default "edgserver" service enabled on the access point and malicious commands are executed with root privileges. No authentication is enabled on the service and the source of the vulnerability resides in processing code associated to the "capture_packages" operation. | |||||
| CVE-2024-50375 | 1 Advantech | 6 Eki-6333ac-1gpo, Eki-6333ac-1gpo Firmware, Eki-6333ac-2g and 3 more | 2026-01-23 | N/A | 9.8 CRITICAL |
| A CWE-306 "Missing Authentication for Critical Function" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability can be exploited by remote unauthenticated users capable of interacting with the default "edgserver" service enabled on the access point. | |||||
| CVE-2024-50376 | 1 Advantech | 6 Eki-6333ac-1gpo, Eki-6333ac-1gpo Firmware, Eki-6333ac-2g and 3 more | 2026-01-23 | N/A | 7.3 HIGH |
| A CWE-79 "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability can be exploited remotely leveraging a rogue Wi-Fi access point with a malicious SSID. | |||||
| CVE-2024-50377 | 1 Advantech | 6 Eki-6333ac-1gpo, Eki-6333ac-1gpo Firmware, Eki-6333ac-2g and 3 more | 2026-01-23 | N/A | 6.5 MEDIUM |
| A CWE-798 "Use of Hard-coded Credentials" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability is associated to the backup configuration functionality that by default encrypts the archives using a static password. | |||||
| CVE-2025-37170 | 1 Arubanetworks | 1 Arubaos | 2026-01-23 | N/A | 7.2 HIGH |
| Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system. | |||||
| CVE-2025-37171 | 1 Arubanetworks | 1 Arubaos | 2026-01-23 | N/A | 7.2 HIGH |
| Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system. | |||||
| CVE-2025-37172 | 1 Arubanetworks | 1 Arubaos | 2026-01-23 | N/A | 7.2 HIGH |
| Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system. | |||||
| CVE-2025-15500 | 1 Sangfor | 1 Operation And Maintenance Management System | 2026-01-22 | 10.0 HIGH | 9.8 CRITICAL |
| A vulnerability was found in Sangfor Operation and Maintenance Management System up to 3.0.8. This issue affects some unknown processing of the file /isomp-protocol/protocol/getHis of the component HTTP POST Request Handler. The manipulation of the argument sessionPath results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-15499 | 1 Sangfor | 1 Operation And Maintenance Management System | 2026-01-22 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability has been found in Sangfor Operation and Maintenance Management System up to 3.0.8. This vulnerability affects the function uploadCN of the file VersionController.java. The manipulation of the argument filename leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-15502 | 1 Sangfor | 1 Operation And Maintenance Security Management System | 2026-01-22 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was identified in Sangfor Operation and Maintenance Management System up to 3.0.8. The affected element is the function SessionController of the file /isomp-protocol/protocol/session. Such manipulation of the argument Hostname leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||