#auth

A vulnerability was found in CRI-O. A path traversal issue in the log management functions (UnMountPodLogs and LinkContainerLogs) may allow an attacker with permissions to create and delete Pods to unmount arbitrary host paths, leading to node-level denial of service by unmounting critical system directories.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.0 ATTENTION: Low attack complexity Vendor: Rockwell Automation Equipment: FactoryTalk Vulnerabilities: Incorrect Permission Assignment for Critical Resource, Improper Control of Generation of Code ('Code Injection') 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to gain unauthenticated access to system configuration files and execute DLLs with elevated privileges. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Rockwell Automation Factory Talk are affected: FactoryTalk: All versions prior to 15.0 FactoryTalk View SE: All versions prior to 15.0 3.2 VULNERABILITY OVERVIEW 3.2.1 Incorrect Permission Assignment for Critical Resource CWE-732 An incorrect permission assignment vulnerability exists in Rockwell Automation FactoryTalk products on all versions prior to Version 15.0. The vulnerability is due to incorrect permissions being assigned to the remote debugger port and can allow fo...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Low attack complexity Vendor: Rockwell Automation Equipment: FactoryTalk Vulnerabilities: Incorrect Authorization, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute code on the device with elevated privileges. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Rockwell Automation FactoryTalk View ME are affected: FactoryTalk View ME: All versions prior to 15.0 3.2 VULNERABILITY OVERVIEW 3.2.1 Incorrect Authorization CWE-863 A local code execution vulnerability exists in in Rockwell Automation FactoryTalk products on all versions prior to version 15.0. The vulnerability is due to a default setting in Windows and allows access to the command prompt as a higher privileged user. CVE-2025-24479 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.4 has been calcu...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: Power Logic Vulnerabilities: Authorization Bypass Through User-Controlled Key, Improper Restriction of Operations within the Bounds of a Memory Buffer 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to modify data or cause a denial-of-service condition on web interface functionality. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products are affected: Schneider Electric Power Logic: v0.62.7 (CVE-2024-10497) Schneider Electric Power Logic: v0.62.7 and prior (CVE-2024-10498) 3.2 VULNERABILITY OVERVIEW 3.2.1 AUTHORIZATION BYPASS THROUGH USER-CONTROLLED KEY CWE-639 An authorization bypass through user-controlled key vulnerability exists that could allow an authorized attacker to modify values outside those defined by their privileges (Elevation of Privileges) when the att...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: DataMosaix Private Cloud Vulnerabilities: Exposure of Sensitive Information to an Unauthorized Actor, Dependency on Vulnerable Third-Party Component 2. RISK EVALUATION Successful exploitation of these vulnerabilities could overwrite reports, including user projects. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Rockwell Automation reports the following versions of DataMosaix Private Cloud are affected: DataEdgePlatform DataMosaix Private Cloud: Version 7.11 and prior (CVE-2025-0659) DataEdgePlatform DataMosaix Private Cloud: Versions 7.09 and prior (CVE-2020-11656) 3.2 VULNERABILITY OVERVIEW 3.2.1 Exposure of Sensitive Information to an Unauthorized Actor CWE-200 A path traversal vulnerability exists in DataMosaix Private Cloud. By specifying the character sequence in the body of the vulnerable endpoint, it is possible to overwrite files outside of the in...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.5 ATTENTION: Low Attack Complexity Vendor: Schneider Electric Equipment: Electric RemoteConnect and SCADAPack x70 Utilities Vulnerability: Deserialization of Untrusted Data 2. RISK EVALUATION Successful exploitation of this vulnerability could lead to loss of confidentiality, integrity, and potential remote code execution on workstation when a non-admin authenticated user opens a malicious project file. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products are affected: RemoteConnect: All versions SCADAPackTM x70 Utilities: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502 A deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity, and potential remote code execution on workstation when a non-admin authenticated user opens a malicious project file. CVE-2024-12703 has been assigned to this vulnerability. A CVSS v3 ...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: B&R Equipment: Automation Runtime Vulnerability: Use of a Broken or Risky Cryptographic Algorithm 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to masquerade as legitimate services on impacted devices. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS B&R reports that the following products are affected: B&R Automation Runtime: versions prior to 6.1 B&R mapp View: versions prior to 6.1 3.2 VULNERABILITY OVERVIEW 3.2.1 USE OF A BROKEN OR RISKY CRYPTOGRAPHIC ALGORITHM CWE-327 A "Use of a Broken or Risky Cryptographic Algorithm" vulnerability in the SSL/TLS component used in B&R Automation Runtime versions <6.1 and B&R mapp View versions <6.1 may be abused by unauthenticated network-based attackers to masquerade as legitimate services on impacted devices. CVE-2024-8603 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assi...

The firewall specialist has patched the security flaw, which was responsible for a series of attacks reported earlier this month that compromised FortiOS and FortiProxy products exposed to the public Internet.

Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor targeting users, predominantly in Poland and Germany.

While passwords remain the first line of defense for protecting user accounts against unauthorized access, the methods for creating strong passwords and protecting them are continually evolving. For example, NIST password recommendations are now prioritizing password length over complexity. Hashing, however, remains a non-negotiable. Even long secure passphrases should be hashed to prevent them