#vulnerability

Now-fixed web bugs allowed hackers to remotely unlock and start any of millions of Subarus. More disturbingly, they could also access at least a year of cars’ location histories—and Subaru employees still can.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 6.9 ATTENTION: Low attack complexity Vendor: HMS Networks Equipment: Ewon Flexy 202 Vulnerability: Cleartext Transmission of Sensitive Information 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to disclose sensitive user credentials. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following HMS Networks products are affected: Ewon Flexy 202: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 Cleartext Transmission of Sensitive Information CWE-319 EWON Flexy 202 transmits user credentials in clear text with no encryption when a user is added, or user credentials are changed via its webpage. CVE-2025-0432 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.7 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). A CVSS v4 score has also been calculated for CVE-2025-0432. A base score of 6.9 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:N/UI:P/VC:H...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 4.6 ATTENTION: Low attack complexity Vendor: Schneider Electric Equipment: EcoStruxure Power Build Rapsody Vulnerability: Improper Restriction of Operations within the Bounds of a Memory Buffer 2. RISK EVALUATION Successful exploitation of this vulnerability could allow local attackers to potentially execute arbitrary code when opening a malicious project file. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports the following versions of EcoStruxure Power Build, a configuration program for panel builders, are affected: EcoStruxure Power Build Rapsody: Version v2.5.2 NL and prior EcoStruxure Power Build Rapsody: Version v2.7.1 FR and prior EcoStruxure Power Build Rapsody: Version v2.7.5 ES and prior EcoStruxure Power Build Rapsody: Version v2.5.4 INT and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119 An improper restriction of operations within the bounds of a...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.2 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: RTU500 series products Vulnerability: Improperly Implemented Security Check for Standard 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to to update the RTU500 with unsigned firmware. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Hitachi Energy reports that the following RTU500 series products are affected: RTU500 series CMU Firmware: Version 13.5.1 up to and including 13.5.3 RTU500 series CMU Firmware: Version 13.4.1 up to and including 13.4.4 RTU500 series CMU Firmware: Version 13.2.1 up to and including 13.2.7 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPERLY IMPLEMENTED SECURITY CHECK FOR STANDARD CWE-358 A vulnerability exists in the RTU500 that allows for authenticated and authorized users to bypass secure update. If a malicious actor successfully exploits this vulnerability, they could use it to update the RTU500 with...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: mySCADA Equipment: myPRO Vulnerabilities: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary commands or disclose sensitive information. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following mySCADA products are affected: myPRO Manager: Versions prior to 1.3 myPRO Runtime: Versions prior to 9.2.1 3.2 VULNERABILITY OVERVIEW 3.2.1 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-78 mySCADA myPRO does not properly neutralize POST requests sent to a specific port with email information. This vulnerability could be exploited by an attacker to execute arbitrary commands on the affected system. CVE-2025-20061 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has be...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.5 ATTENTION: Low attack complexity Vendor: Schneider Electric Equipment: EVlink Home Smart and Schneider Charge Vulnerability: Cleartext Storage of Sensitive Information 2. RISK EVALUATION Successful exploitation of this vulnerability may expose test credentials in the firmware binary. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following EVlink Home Smart and Schneider Charge charging stations are affected: EVlink Home Smart: All versions prior to 2.0.6.0.0 Schneider Charge: All versions prior to 1.13.4 3.2 VULNERABILITY OVERVIEW 3.2.1 CLEARTEXT STORAGE OF SENSITIVE INFORMATION CWE-312 A cleartext storage of sensitive information vulnerability exists that exposes test credentials in the firmware binary. CVE-2024-8070 has been assigned to this vulnerability. A CVSS v3 base score of 8.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L). 3.3 BACKGROUND CRITICAL INFRASTR...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Schneider Electric Equipment: Easergy Studio Vulnerability: Improper Privilege Management 2. RISK EVALUATION Successful exploitation of this vulnerability may risk unauthorized access to the installation directory for Easergy Studio, which could allow an attacker with access to the file system to elevate privileges. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following Easergy Studio products are affected: Easergy Studio: Versions 9.3.1 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER PRIVILEGE MANAGEMENT CWE-269 An improper privilege management vulnerability exists that could cause unauthorized access, loss of confidentiality, integrity, and availability of the workstation when a non-administrative authenticated user tries to perform privilege escalation by tampering with the binaries. CVE-2024-9002 has been assigned to this vulnerability. A CVSS v3 base score of 7...

Chinese hacks, rampant ransomware, and Donald Trump’s budget cuts all threaten US security. In an exit interview with WIRED, former CISA head Jen Easterly argues for her agency’s survival.

SonicWall is alerting customers of a critical security flaw impacting its Secure Mobile Access (SMA) 1000 Series appliances that it said has been likely exploited in the wild as a zero-day. The vulnerability, tracked as CVE-2025-23006, is rated 9.8 out of a maximum of 10.0 on the CVSS scoring system. "Pre-authentication deserialization of untrusted data vulnerability has been identified in the

About Remote Code Execution – Windows OLE (CVE-2025-21298) vulnerability. The vulnerability is from the January Microsoft Patch Tuesday. OLE (Object Linking and Embedding) is a technology for linking and embedding objects into other documents and objects, developed by Microsoft. A common use of this technology is embedding an Excel table in a Word document. What […]