Headline
Google Fixes Nearly 100 Android Security Issues
Plus: Apple shuts down a Flipper Zero Attack, Microsoft patches more than 30 vulnerabilities, and more critical updates for the last month of 2023.
December was a hectic month for updates as firms including Apple and Google rushed to get patches out to fix serious flaws in their products before the holiday break.
Enterprise software giants also issued their fair share of patches, with Atlassian and SAP squashing several critical bugs during December.
Here’s what you need to know about the important updates you might have missed during the month.
Apple iOS
In mid-December, Apple released iOS 17.2, a major point upgrade containing features such as the Journal app, as well as 12 security patches. Among the flaws fixed in iOS 17.2 is CVE-2023-42890, an issue in the WebKit browser engine that could allow an attacker to execute code.
Another flaw in the iPhone’s Kernel, tracked as CVE-2023-4291, could see an app break out of its secure sandbox, Apple wrote on its support page. Meanwhile, two vulnerabilities in ImageIO, CVE-2023-42898 and CVE-2023-42899, could lead to code execution.
The iOS 17.2 update also put a mechanism in place to prevent a Bluetooth attack using a penetration testing device called Flipper Zero, according to tests by ZDNET and 9to5Mac. The annoying denial of service cyber-assault could cause a flurry of pop ups to appear on an iPhone and eventually lock up the device.
Apple also released iOS 16.7.3, Safari 17.2, macOS Sonoma 14.2, macOS Ventura 13.6.3, macOS Monterey 12.7.2, tvOS 17.2 and watchOS 10.2.
Just one week after releasing iOS 17.2, Apple issued iOS 17.2.1 and iOS 16.7.4 for older devices, alongside macOS Sonoma 14.2.1. The surprise iPhone update contains unspecified bug and security fixes, while the macOS patch fixes a single flaw tracked as CVE-2023-42940.
Google Android
The Google Android December Security Bulletin was a hefty one, fixing nearly 100 security issues. The update includes patches for two critical issues in the Framework, the most severe of which could lead to remote escalation of privilege with no additional privileges needed. User interaction is not needed for exploitation, Google said.
CVE-2023-40088 is a critical flaw in the System that could lead to remote code execution, while CVE-2023-40078 is an elevation of privilege bug rated as having a high impact.
Google has also issued an update for its smart device WearOS platform, fixing CVE-2023-40094, an elevation of privilege flaw. The Pixel Security Bulletin has not been posted at the time of writing.
Google Chrome
Google ended a bumper December of updates in style with an emergency fix for its Chrome browser. The eighth zero-day vulnerability impacting Chrome in 2024, CVE-2023-7024 is a heap buffer overflow issue in the open source WebRTC component. Google is “aware that an exploit for CVE-2023-7024 exists in the wild,” the browser maker said in an advisory.
It wasn’t the first fix released by Google in December. The software giant also issued a Chrome patch mid-month to fix nine security issues. Of the flaws reported by external researchers, five are rated as having a high severity, including CVE-2023-6702, a type confusion flaw in V8, and four use-after-free bugs.
Earlier in the month Google released Chrome 120, fixing 10 security flaws, including two rated as having a high severity. CVE-2023-6508 is a use-after-free bug in Media Stream, while CVE-2023-6509 is a use-after-free issue in Side Panel Search.
Microsoft
Microsoft’s December Patch Tuesday fixes over 30 vulnerabilities including several remote code execution (RCE) flaws. Among the critical fixes is CVE-2023-36019, a spoofing vulnerability in Microsoft Power Platform Connector with a CVSS score of 9.6. The issue could see an attacker manipulate a malicious link, app, or file to trick the victim. However, you would have to click on a specially crafted URL to be compromised.
Meanwhile, CVE-2023-35628 is a Windows MSHTML Platform RCE bug rated as critical with a CVSS score of 8.1. “The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client,” Microsoft said, adding that this could lead to exploitation before the email is viewed in the Preview Pane.
It was a fairly light Patch Tuesday, and none of the issues fixed in the month’s update cycle are known to have been exploited, but it still makes sense to apply the fixes as soon as you can.
Mozilla Firefox
Mozilla has fixed 18 security vulnerabilities in its Firefox browser, a third of which are rated as having a high severity. Of these, CVE-2023-6856 is a heap-buffer-overflow issue affecting WebGL DrawElementsInstanced method with Mesa VM driver that could allow an attacker to perform remote code execution and sandbox escape.
Meanwhile, Mozilla has also fixed memory safety bugs tracked as CVE-2023-6864 and CVE-2023-6873. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort [they] could have been exploited to run arbitrary code,” Mozilla said.
Apache
The Apache Software Foundation has issued a patch for a flaw in its Struts 2 open source developer framework. Tracked as CVE-2023-50164, the issue is rated as critical with a CVSS score of 9.8.
Using the vulnerability, an attacker could manipulate file upload parameters to enable paths traversal. Under some circumstances, this could lead to uploading a malicious file and be used to perform RCE, according to a security advisory.
To fix the flaw, it’s important to upgrade to Struts 2.5.33 or Struts 6.3.0.2 as soon as possible.
Atlassian
Enterprise software giant Atlassian has issued a patch to fix critical RCE vulnerabilities in its Confluence Data Center and Server. Tracked as CVE-2023-22522, the template injection vulnerability allows an authenticated attacker to inject unsafe user input into a Confluence page. “Using this approach, an attacker is able to achieve RCE on an affected instance,” Atlassian said in an advisory.
Marked as critical with a CVSS score of 9, the bug affects all versions including and after 4.0.0 of Confluence Data Center and Server. Atlassian “recommends patching to the latest version or a fixed LTS version” to address the issue.
Other patches released by Atlassian during the month include a fix for an RCE vulnerability in the Atlassian macOS app, an RCE bug in Assets Discovery, and a SnakeYAML library RCE issue impacting multiple products.
SAP
Business software maker SAP has released its December Security Patch Day, fixing several serious security flaws. The most critical, with a CVSS score of 9.1, are four escalation-of-privilege bugs in SAP Business Technology Platform tracked as CVE-2023-49583, CVE-2023-50422, CVE-2023-50423, and CVE-2023-50424.
“It allows an unauthenticated attacker to obtain arbitrary permissions within the application leading to high impact on the application’s confidentiality and integrity,” security firm Onapsis said.
Meanwhile, CVE-2023-42481 is an improper access control vulnerability in SAP Commerce Cloud with a CVSS score of 8.1. “This allows a user who is actually blocked to regain access to the application, leading to considerable impact on confidentiality and integrity,” according to Onapsis.
Related news
A coalition of dozens of countries, including France, the U.K., and the U.S., along with tech companies such as Google, MDSec, Meta, and Microsoft, have signed a joint agreement to curb the abuse of commercial spyware to commit human rights abuses. The initiative, dubbed the Pall Mall Process, aims to tackle the proliferation and irresponsible use of commercial cyber intrusion tools by
Hello everyone! It has been 3 months since the last episode. I spent most of this time improving my Vulristics project. So in this episode, let’s take a look at what’s been done. Alternative video link (for Russia): https://vk.com/video-149273431_456239139 Also, let’s take a look at the Microsoft Patch Tuesdays vulnerabilities, Linux Patch Wednesdays vulnerabilities and […]
Gentoo Linux Security Advisory 202401-34 - Multiple vulnerabilities have been discovered in Chromium and its derivatives, the worst of which can lead to remote code execution. Versions greater than or equal to 120.0.6099.109 are affected.
Gentoo Linux Security Advisory 202401-33 - Multiple vulnerabilities have been found in WebKitGTK+, the worst of which may lead to remote code execution. Versions greater than or equal to 2.42.2:4 are affected.
Plus: Google fixes dozens of Android bugs, Microsoft rolls out nearly 50 patches, Mozilla squashes 15 Firefox flaws, and more.
Ubuntu Security Notice 6562-2 - USN-6562-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. DoHyun Lee discovered that Firefox did not properly manage memory when used on systems with the Mesa VM driver. An attacker could potentially exploit this issue to execute arbitrary code. George Pantela and Hubert Kario discovered that Firefox using multiple NSS NIST curves which were susceptible to a side-channel attack known as "Minerva". An attacker could potentially exploit this issue to obtain sensitive information. Andrew Osmond discovered that Firefox did not properly validate the textures produced by remote decoders. An attacker could potentially exploit this issue...
Microsoft has addressed a total of 48 security flaws spanning its software as part of its Patch Tuesday updates for January 2024. Of the 48 bugs, two are rated Critical and 46 are rated Important in severity. There is no evidence that any of the issues are publicly known or under active attack at the time of release, making it the second consecutive Patch Tuesday with no zero-days. The
Gentoo Linux Security Advisory 202401-10 - Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could lead to remote code execution. Versions greater than or equal to 115.6.0:esr are affected.
By Waqas CISA Urges Swift Action as Two Critical Vulnerabilities Emerge. This is a post from HackRead.com Read the original post: CISA Warns of Exploited Vulnerabilities in Chrome and Excel Parsing Library
Red Hat Security Advisory 2024-0030-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include buffer overflow and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-0029-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include buffer overflow and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-0028-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include buffer overflow and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-0026-03 - An update for firefox is now available for Red Hat Enterprise Linux 7. Issues addressed include buffer overflow and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-0023-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include buffer overflow and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-0022-03 - An update for firefox is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include buffer overflow and use-after-free vulnerabilities.
Ubuntu Security Notice 6563-1 - Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code. Marcus Brinkmann discovered that Thunderbird did not properly parse a PGP/MIME payload that contains digitally signed text. An attacker could potentially exploit this issue to spoof an email message.
Ubuntu Security Notice 6562-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. DoHyun Lee discovered that Firefox did not properly manage memory when used on systems with the Mesa VM driver. An attacker could potentially exploit this issue to execute arbitrary code.
Red Hat Security Advisory 2024-0025-03 - An update for firefox is now available for Red Hat Enterprise Linux 9. Issues addressed include buffer overflow and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-0021-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include buffer overflow and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-0019-03 - An update for firefox is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include buffer overflow and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-0012-03 - An update for firefox is now available for Red Hat Enterprise Linux 8. Issues addressed include buffer overflow and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-0011-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include buffer overflow and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-0005-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include buffer overflow and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-0004-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include buffer overflow and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-0002-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include buffer overflow and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-0001-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 9. Issues addressed include buffer overflow and use-after-free vulnerabilities.
Debian Linux Security Advisory 5585-1 - An important security issue was discovered in Chromium, which could result in the execution of arbitrary code.
Debian Linux Security Advisory 5582-1 - Multiple security issues were discovered in Thunderbird, which could result in denial of service, the execution of arbitrary code or spoofing of signed PGP/MIME and SMIME emails.
Debian Linux Security Advisory 5582-1 - Multiple security issues were discovered in Thunderbird, which could result in denial of service, the execution of arbitrary code or spoofing of signed PGP/MIME and SMIME emails.
Debian Linux Security Advisory 5582-1 - Multiple security issues were discovered in Thunderbird, which could result in denial of service, the execution of arbitrary code or spoofing of signed PGP/MIME and SMIME emails.
Google has issued an emergency update for Chrome that fixes an actively exploited zero-day vulnerability in the WebRTC component.
Debian Linux Security Advisory 5581-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape or clickjacking.
Debian Linux Security Advisory 5581-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape or clickjacking.
Google has rolled out security updates for the Chrome web browser to address a high-severity zero-day flaw that it said has been exploited in the wild. The vulnerability, assigned the CVE identifier CVE-2023-7024, has been described as a heap-based buffer overflow bug in the WebRTC framework that could be exploited to result in program crashes or arbitrary code execution. Clément
Apple Security Advisory 12-19-2023-1 - macOS Sonoma 14.2.1 addresses a session tracking issue.
A recently patched Apache Struts 2 vulnerability has been spotted in worldwide exploitation attempts. Users and admins should update ASAP.
Debian Linux Security Advisory 5577-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.
Microsoft and other vendors have released their rounds of December updates on or before patch Tuesday. Update now!
Microsoft and other vendors have released their rounds of December updates on or before patch Tuesday. Update now!
Apple Security Advisory 12-11-2023-8 - watchOS 10.2 addresses code execution and out of bounds read vulnerabilities.
Apple Security Advisory 12-11-2023-8 - watchOS 10.2 addresses code execution and out of bounds read vulnerabilities.
Apple Security Advisory 12-11-2023-8 - watchOS 10.2 addresses code execution and out of bounds read vulnerabilities.
Apple Security Advisory 12-11-2023-7 - tvOS 17.2 addresses code execution and out of bounds read vulnerabilities.
Apple Security Advisory 12-11-2023-7 - tvOS 17.2 addresses code execution and out of bounds read vulnerabilities.
Apple Security Advisory 12-11-2023-7 - tvOS 17.2 addresses code execution and out of bounds read vulnerabilities.
Apple Security Advisory 12-11-2023-6 - macOS Monterey 12.7.2 addresses code execution and out of bounds read vulnerabilities.
Apple Security Advisory 12-11-2023-5 - macOS Ventura 13.6.3 addresses code execution and out of bounds read vulnerabilities.
Apple Security Advisory 12-11-2023-4 - macOS Sonoma 14.2 addresses code execution, out of bounds read, and spoofing vulnerabilities.
Apple Security Advisory 12-11-2023-4 - macOS Sonoma 14.2 addresses code execution, out of bounds read, and spoofing vulnerabilities.
Apple Security Advisory 12-11-2023-4 - macOS Sonoma 14.2 addresses code execution, out of bounds read, and spoofing vulnerabilities.
Apple Security Advisory 12-11-2023-3 - iOS 16.7.3 and iPadOS 16.7.3 addresses code execution and out of bounds read vulnerabilities.
Apple Security Advisory 12-11-2023-2 - iOS 17.2 and iPadOS 17.2 addresses code execution and spoofing vulnerabilities.
Apple Security Advisory 12-11-2023-2 - iOS 17.2 and iPadOS 17.2 addresses code execution and spoofing vulnerabilities.
Apple Security Advisory 12-11-2023-2 - iOS 17.2 and iPadOS 17.2 addresses code execution and spoofing vulnerabilities.
Apple Security Advisory 12-11-2023-1 - Safari 17.2 addresses code execution vulnerabilities.
Microsoft released its final set of Patch Tuesday updates for 2023, closing out 33 flaws in its software, making it one of the lightest releases in recent years. Of the 33 shortcomings, four are rated Critical and 29 are rated Important in severity. The fixes are in addition to 18 flaws Microsoft addressed in its Chromium-based Edge browser since the release of Patch
Microsoft released its final set of Patch Tuesday updates for 2023, closing out 33 flaws in its software, making it one of the lightest releases in recent years. Of the 33 shortcomings, four are rated Critical and 29 are rated Important in severity. The fixes are in addition to 18 flaws Microsoft addressed in its Chromium-based Edge browser since the release of Patch
The final Patch Tuesday of 2023 is upon us, with Microsoft Corp. today releasing fixes for a relatively small number of security holes in its Windows operating systems and other software. Even more unusual, there are no known "zero-day" threats targeting any of the vulnerabilities in December's patch batch. Still, four of the updates pushed out today address "critical" vulnerabilities that Microsoft says can be exploited by malware or malcontents to seize complete control over a vulnerable Windows device with little or no help from users.
The company’s regular set of advisories has included a vulnerability that’s been actively exploited in the wild in 10 months this year.
Windows MSHTML Platform Remote Code Execution Vulnerability
Microsoft Power Platform Connector Spoofing Vulnerability
Apple on Monday released security patches for iOS, iPadOS, macOS, tvOS, watchOS, and Safari web browser to address multiple security flaws, in addition to backporting fixes for two recently disclosed zero-days to older devices. This includes updates for 12 security vulnerabilities in iOS and iPadOS spanning AVEVideoEncoder, ExtensionKit, Find My, ImageIO, Kernel, Safari
Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution. Tracked as CVE-2023-50164, the vulnerability is rooted in a flawed "file upload logic" that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file
SAP BTP Security Services Integration Library ([Python] sap-xssec) - versions < 4.1.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
Multiple memory corruption issues were addressed with improved input validation. This issue is fixed in macOS Sonoma 14.2. Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution.
In SAP Commerce Cloud - versions HY_COM 1905, HY_COM 2005, HY_COM2105, HY_COM 2011, HY_COM 2205, COM_CLOUD 2211, a locked B2B user can misuse the forgotten password functionality to un-block his user account again and re-gain access if SAP Commerce Cloud - Composable Storefront is used as storefront, due to weak access controls in place. This leads to a considerable impact on confidentiality and integrity.
A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sonoma 14.2, iOS 17.2 and iPadOS 17.2, watchOS 10.2. An app may be able to access sensitive user data.
Multiple memory corruption issues were addressed with improved input validation. This issue is fixed in macOS Sonoma 14.2. Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution.
A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sonoma 14.2, iOS 17.2 and iPadOS 17.2, watchOS 10.2. An app may be able to access sensitive user data.
The issue was addressed with improved memory handling. This issue is fixed in Safari 17.2, macOS Sonoma 14.2, watchOS 10.2, iOS 17.2 and iPadOS 17.2, tvOS 17.2. Processing web content may lead to arbitrary code execution.
A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sonoma 14.2, iOS 17.2 and iPadOS 17.2, watchOS 10.2. An app may be able to access sensitive user data.
A logic issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.2, macOS Ventura 13.6.3, macOS Monterey 12.7.2. An app may be able to access protected user data.
Multiple memory corruption issues were addressed with improved input validation. This issue is fixed in macOS Sonoma 14.2. Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution.
Debian Linux Security Advisory 5573-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.
Debian Linux Security Advisory 5573-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.
Android phones are vulnerable to attacks that allow a remote execution of malicious code and it requires no user interaction.
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.1 or greater to fix this issue.
Atlassian has released software fixes to address four critical flaws in its software that, if successfully exploited, could result in remote code execution. The list of vulnerabilities is below - CVE-2022-1471 (CVSS score: 9.8) - Deserialization vulnerability in SnakeYAML library that can lead to remote code execution in multiple products CVE-2023-22522 (CVSS score
Chipmaker Qualcomm has released more information about three high-severity security flaws that it said came under "limited, targeted exploitation" back in October 2023. The vulnerabilities are as follows - CVE-2023-33063 (CVSS score: 7.8) - Memory corruption in DSP Services during a remote call from HLOS to DSP. CVE-2023-33106 (CVSS score: 8.4) - Memory corruption in
This Template Injection vulnerability allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page. Using this approach, an attacker is able to achieve Remote Code Execution (RCE) on an affected instance. Publicly accessible Confluence Data Center and Server versions as listed below are at risk and require immediate attention. See the advisory for additional details Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
In parse_gap_data of utils.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.
In parse_gap_data of utils.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.
In parse_gap_data of utils.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.
Frauscher Sensortechnik GmbH FDS101 for FAdC/FAdCi v1.4.24 and all previous versions are vulnerable to a remote code execution (RCE) vulnerability via manipulated parameters of the web interface without authentication. This could lead to a full compromise of the FDS101 device.