Vulnerability Details
The Computer Network Defence Alert State is designed to give a granular and more dynamic visualisation of the current cyber security threat. Any increase in an alert state will occur immediately an issue is detected and it will drop again by one level each working day.
Our rationale for this agility is that vulnerabilities often occur in clusters, therefore reducing the alert state again quickly, will increase your visibility of new threats to the same product. Daily reductions in alert state occur at approximately 1900 GMT/UTC. Significant vulnerabilities may remain for longer. Vulnerabilities on this page are predominantly remotely executable, very few local server exploits will be shown.
Thursday 13 February 2025

Patch
Palo Alto
Networks

Patch
Monthly Patches inculde 10 bulletins, 2 rated High, 6 rated Medium, 2 rated Informational. Highest CVSSv3 of 7.8
More info.
HPE

Patch
Security vulnerabilities have been identified in Unified OSS Console and Unified OSS Console Assurance Monitoring, allowing a remote attacker to achieve code execution and DoS. Highest CVSSv3 score of 9.8
More info.
PostgreSQL

Patch
Improper neutralization of quoting syntax in PostgreSQL functions allows a database input provider to achieve SQL injection in certain usage patterns. CVSSv4 score of 8.1
More info.
Citrix

Patch
NetScaler ADC, NetScaler Gateway, and NetScaler Console contain theRegreSSHion vulnerability. CVSSv3 score of 8.1
More info.
Hitachi

Patch
Cosminexus Developer's Kit for Java has been updated to fix a security vulnerability. CVSSv3 score of 4.8
More info.
Linux

Patch
Wednesday 12 February 2025
Microsoft

Patch
Adobe

Patch
Monthly Patches have been published for InDesign, Commerce, Substance 3D Stager, InCopy, Illustrator, Substance 3D Designer, and Photoshop Elements. Highest CVSSv3 of 9.4
More info.
Fortinet

Patch
Monthly Patches include 14 new bulletins affecting their products. Highest CVSSv3 score of 8.1
More info.
Juniper
Networks

Patch
An authentication bypass vulnerability in Juniper Networks Session Smart Router may allow a remote attacker to bypass authentication and take administrative control of the device. CVSSv4 score of 9.3
More info.
Ivanti

Patch
Monthly Patches include updates for Cloud Service Application, Neurons for MDM, and Connect Secure, Policy Secure and Secure Access Client. Highest CVSSv3 score of 9.9
More info.
Linux

Patch
Tuesday 11 February 2025
Siemens

Patch
Monthly Patches include 23 bulletins, 14 new and 9 updated. Of the new bulletins, highest CVSSv4 score of 9.4
More info.
SIMATIC S7-1200 CPU family is affected by two denial of service vulnerabilities. Highest CVSSv4 score of 8.7
More info.
Tableau Server component in Opcenter Intelligence contains multiple vulnerabilities. Highest CVSSv4 score of 9.4
More info.
Affected products do not invalidate user sessions upon user logout. This could allow a remote attacker to re-use a legitimate user's session even after logout. CVSSv4 score of 8.7
More info.
SCALANCE W-700 IEEE 802.11ax devices are affected by multiple vulnerabilities. Highest CVSSv4 score of 8.6
More info.
Schneider
Electric

Patch
SAP

Patch
Monthly Patches include 21 Security Notes, 19 new and 2 updated. Highest CVSSv3 score of 8.7
More info.
Apple

0-Day
Apple has published security updates for iOS and iPadOS. Exploits have been seen.
More info.
Dell

Patch
Dell has published Critical bulletins for Avamar, Networker Virtual Edition and PowerProtect DP Series Appliance.
More info.
Linux

Patch
Red Hat has updated the kernel. More info.
Monday 10 February 2025
OPC

Patch
UA.NET Standard Stack has been updated to fix 2 security vulnerabilities. Highest CVSSv3 score of 6.5
More info.
WithSecure

Patch
A DoS vulnerability was discovered in WithSecure Atlant Product.
More info.
NetApp

Patch
NetApp has published 10 new bulletins identifying vulnerabilities in third-party software included in their products. CVSSv4 score of 7.5
Three have patches.
More info.
IBM

Patch
IBM has published Critical bulletins for watsonx.data, QRadar SIEM, and Db2 Warehouse.
More info.
Linux

Patch
SUSE has updated rsync. More info.
OpenSUSE has updated rsync. More info.
Red Hat has updated the kernel-rt. More info.
Ubuntu has fixed a regression in rsync. More info.
Amazon Linux, Amazon Linux 2, and Amazon Linux 2023 have updated the kernel. More info. And here. And here.
AlmaLinux has updated the kernel and kernel-rt. More info.
Friday 07 February 2025
Microsoft

Patch
Microsoft has updated Edge with the latest chromium-based fixes.
More info.
Moxa

Patch
Orthanc

Patch
Orthanc server does not enable basic authentication by default when remote access is enabled. This could result in unauthorized access by a remote attacker. CVSSv4 score of 9.2
More info.
Proftpd

Patch
HP

Patch
HP LaserJet Pro printers may experience a DoS when a remote attacker sends a raw JPEG file to the printer via IPP. CVSSv4 score of 6.9
More info.
Tenable

Patch
Identity Exposure has been updated to fix vulnerabilities in third-party software. Highest CVSSv3 score of 7.7
More info.
Linux

Patch
Oracle Linux has updated the kernel. More info.
Thursday 06 February 2025
F5

Patch
Quarterly Patches include 17 bulletins, 13 rated High, 3 rated Medium, and 1 rated Low. Highest CVSSv4 score of 8.9
More info.
Cisco

Patch
Cisco has published 8 bulletins, 1 rated Critical, 1 rated High, and 6 rated Medium. Highest CVSSv2 score of 9.9
More info.
ABB

0-Day
ASPECT Enterprise, NEXUS Series, and Matrix Series have a hard-coded credentials vulnerability that could allow a remote attacker to gain unauthorized access and affect confidentiality, integrity and availability. CVSSv4 score of 9.3
These devices are not supposed to be internet-facing. This has been publicly disclosed.
More info.
IBM

Patch
IBM has published Critical bulletins for Asset Data Dictionary, Instana Observability, Security QRadar EDR, Cloud Pak for Business Automation iFixes, watsonx.data, Cloud Pak for Network Automation, QRadar Suite, Cloud Pak System, Engineering Lifecycle Optimization, Guardium Data Security Center, Security Verify Access, and Spectrum Protect Plus.
More info.
Dell

Patch
Dell has published Critical bulletins for Data Protection Advisor, and Avamar. High bulletins have been published for CloudBoost Virtual Appliance, and NetWorker vProxy.
More info.
Wednesday 05 February 2025

Patch
F5

Patch
F5 has published several bulletins for BIG-IP. Highest CVSSv4 score of 8.7
More info.
AutomationDirect

Patch
C-more EA9 HMI contains a function that can be skipped, which could result in a remote attacker causing a DoS or achieving RCE. CVSSv4 score of 9.3
More info.
Elber

New
Communications Equipment contains vulnerabilities that could allow a remote attacker unauthorized administrative access to the affected device. CVSSv4 score of 9.3
Equipment is near EoL, and will not be updated.
More info.
Veeam

Patch
A vulnerability within the Veeam Updater component allows a remote attacker to utilize MitM to execute arbitrary code on the affected appliance server with root-level permissions. CVSSv3 score of 9.0
More info.
Mozilla

Patch
Mozilla has published security updates rated High for Thunderbird, Thunderbird ESR, Firefox, and Firefox ESR.
More info.
Linux

Patch
Red Hat has updated the kernel. More info.
Tuesday 04 February 2025

Patch
Monthly Patches for Android include 26 vulnerabilities, all rated High, as well as Arm, Imagination Technologies, MediaTek, Unisoc, and Qualcomm patches.
More info.
Samsung

Patch
Monthly Patches include 34 vulnerabilities, 1 rated Critical and 33 rated High, as well as Android patches.
More info.
Dell

Patch
Dell has published a Critical bulletin for VxRail.
More info.
WAGO

Patch
WAGO has updated firmware to correct a vulnerability in CODESYS OPC UA Stack. CVSSv3 score of 7.5
More info.
BD

Patch
BD has published security patches for third-party software included in FACSMelody, FACSCelesta, and FACSymphony A3/A5.
More info.
Linux

Patch
OpenSUSE has updated rsync. More info.
Monday 03 February 2025
Qualcomm

Patch
Qualcomm Monthly Patches include 6 vulnerabilities, 1 rated Critical, 5 rated High, as well as open source software updates. Highest CVSSv3 score of 8.8
More info.
MediaTek

Patch
MediaTek Monthly Patches include 16 vulnerabilities, 9 rated High and 7 rated Medium.
More info.
Samsung
Semiconductor

Patch
Monthly Patches include 2 vulnerabilities, both rated Medium. Highest CVSSv3 score of 7.5
More info.
NETGEAR

Patch
XR1000, XR1000v2, and XR500 contains a vulnerability that allows a remote attacker to conduct RCE. CVSSv3 score of 9.8
More info.
Linux

Patch
Mageia has updated the kernel. More info.
Friday 31 January 2025
Contec
Health

New
CMS8000 Patient Monitor contains several vulnerabilities that could allow a remote attacker to remotely send specially formatted UDP requests or connect to an unknown external network that would allow them to write arbitrary data resulting in remote code execution, or leak patient information and sensor data. Highest CVSSv4 score of 9.3
FDA recommends removing these devices from the network.
More info.
New Rock
Technologies

New
OM500 IP-PBX, MX8G VoIP Gateway, and NRP1302/P Desktop IP Phone contains several vulnerabilities. Highest CVSSv4 score of 9.3
No response from the vendor.
More info.
Microsoft

Patch
Microsoft has updated Edge to include the latest chromium patches.
More info.
Dell

Patch
Dell has published Critical bulletins for PowerProtect DD, Data Protection Central, VxRail, NetWorker, PowerProtect DP Series Appliance.
More info.
NetApp

Patch
NetApp has published 11 new bulletins identifying vulnerabilities in third-party software included in their products. Highest CVSSv3 score of 9.8
Two have patches.
More info.
BD

Patch
BD has published security patches for Accuri C6 Plus.
More info.
Thursday 30 January 2025
BIND

Patch
Medtronic

Patch
RemoteView and RemoteControl used by Medtronic representatives to provide remote support for the CareLink 2090 programmer contains a vulnerability in BeyondTrust. CVSSv3 score of 9.8
More info.
Philips

Patch
PICix uses 7-Zip, which has 2 vulnerabilities. Highest CVSSv4 score of 9.8
More info.
Rockwell
Automation

Patch
An encryption vulnerability exists in FactoryTalk AssetCentre. Highest CVSSv4 score of 9.3
More info.
Lexmark

Patch
Lexmark has published 6 new security bulletins for Lexmark devices. Highest CVSSv3 score of 9.1
More info.
ABB

Patch
ABB has published a bulletin for FLXEON products that identifies vulnerabilities that allow a remote attacker to take remote control of the product and run arbitrary code. Highest CVSSv4 score of 10
These devices are not meant to be Internet-facing.
More info.
Wednesday 29 January 2025

Patch
Rockwell
Automation

Patch
Rockwell Automation has updated FactoryTalk View to fix several vulnerabilities, including an RCE. Highest CVSSv4 score of 9.3
More info.
A Credential Exposure vulnerability exists in PowerFlex 755. The vulnerability is due to using HTTP resulting in credentials being sent in clear text. CVSSv4 score of 8.7
More info.
A DoS vulnerability was found in KEPServer. CVSSv3 score of 7.5
More info.
Ruckus
Networks

Patch
Unleashed APs and ZoneDirector contain a number of critical vulnerabilities. Collectively, these vulnerabilities allow a remote attacker to gain shell access to the device.. Highest CVSSv4 score of 9.3
More info.
IBM

Patch
IBM has published Critical bulletins for Tivoli Network Manager and Storage Copy Data Management.
More info.
Moxa

Patch
Multiple PT switches are affected by an out-of-bounds write vulnerability caused by insufficient input validation that could result in a denial-of-service attack. CVSSv4 score of 8.7
More info.
Tuesday 28 January 2025
Apple

Patch
Apple has published security bulletins for visionOS, iOS, iPadOS, macOS, watchOS, tvOS, and Safari. Highest CVSSv3 score of 8.1
More info.
Hitachi

Patch
Hitachi has published 7 new bulletins and 7 updated bulletins. Of the new bulletins, Highest CVSSv3 score of 9.8
More info.
D-Link

Patch
DSL-3788 contains an Unauthenticated RCE vulnerability.
More info.
Monday 27 January 2025
Apache

Patch
Microsoft

Patch
Edge has been updated with the latest chromium updates and to fix 1 Edge-specific vulnerability.
More info.
Wind River
Systems

New
The password hashing algorithms used in VxWorks are weak and can be cracked efficiently.
No patches, treated as a feature upgrade.
More info.
Supermicro

Patch
Several security issues have been discovered in Supermicro BMC Firmware. CVSSv3 score of 7.5
More info.
Canon

Patch
Multiple buffer overflow vulnerabilities exist in the Canon Laser Printers and Small Office Multifunctional Printers. Highest CVSSv3 score of 9.1
More info.
NetApp

Patch
NetApp has published 14 bulletins identifying vulnerabilities in third-party software included in their products. Highest CVSSv3 score of 9.1
Only 1 has patches.
More info.
Linux

Patch
Friday 24 January 2025
Xerox

Patch
Xerox Workplace Suite has been updated for several security vulnerabilities. Highest CVSSv3 score of 9.8
More info.
QNAP

Patch
Multiple vulnerabilities have been reported in rsync, affecting HBS 3 Hybrid Backup Sync. Highest CVSSv3 score of 8.8
More info.
Juniper
Networks

Patch
Multiple vulnerabilities have been fixed in Juniper Secure Analytics. Highest CVSSv3 score of 9.8
More info.
Ubiquiti

Patch
An Improper Certificate Validation on UniFi OS device, with Identity Enterprise configured allows a remote attacker to execute a MitM attack during application update.. CVSSv3 score of 5.9
More info.
IBM

Patch
IBM has published a Critical bulletin for Engineering Lifecycle Optimization. Highest CVSSv3 score of 9.8
More info.
Jenkins

Patch
Jenkins has published an update that fixes several vulnerabilities. Highest CVSSv3 score of 8.8
More info.
Thursday 23 January 2025
Cisco

Patch
Cisco has published 3 new bulletins, 1 rated Critical, 1 High, and 1 Medium. Highest CVSSv3 score of 9.9
More info.
A vulnerability in the SIP processing subsystem of BroadWorks could allow a remote attacker to halt the processing of incoming SIP requests, resulting in a DoS. CVSSv3 score of 7.5
More info.
A vulnerability in the OLE2 decryption routine of ClamAV could allow a remote attacker to cause a DoS. CVSSv3 score of 5.3
More info.
mySCADA

Patch
myPRO contains an OS Command Injection vulnerability that allows a remote attacker to execute arbitrary commands or disclose sensitive information. Highest CVSSv4 score of 9.3
More info.

Patch
Chrome for Desktop has been updated to fix 3 security vulnerabilities.
More info.
SonicWall

Patch
A pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 AMC and CMC, which could enable a remote attacker to execute arbitrary OS commands. CVSSv3 score of 9.8
More info.
M-Files

Patch
Three bulletins have been published identifying vulnerabilities in M-Files Server, the worst of which allows a remote attacker to consume computing resources. Highest CVSSv4 score of 6.3
More info.
ClamAV

Patch
A possible buffer overflow read bug in the OLE2 file parser could cause a DoS. CVSSv3 score of 5.3
More info.
Wednesday 22 January 2025
Oracle

Patch
Quarterly Patches include fixes for 318 vulnerabilities, 184 remotely exploitable without authentication. Highest CVSSv3 score of 9.9
More info.
phpMyAdmin

Patch
Three new bulletins have been published, identifying a DoS and XSS vulnerabilities.
More info.
OVN

Patch
OVN is vulnerable to allowing crafted UDP packets to bypass egress ACL rules. This can result in unauthorized access to virtual machines and containers running on the OVN network.
More info.
Mitel

Patch
Mitel has published 2 new bulletins affecting MiContact Center Business and OpenScape 4000.
More info.
I-O Data

Patch
Node.js

Patch
Three vulnerabilities, 1 rated High and 2 rated Medium, have been fixed in the latest version.
More info.
HAProxy

Patch
HAProxy Fusion has been patched for rsync.
More info.
Linux

Patch
Tuesday 21 January 2025
Monday 20 January 2025

Patch
Google has updated ChromeOS to fix vulnerabilities in the included Chrome browser.
More info.
Microsoft

Patch
Microsoft has updated Edge to include the latest chromium fixes.
More info.
HPE

Patch
A security vulnerability has been fixed in Telco Service Orchestrator software that a remote attacker could exploit for unauthorized data injection. CVSSv3 score of 5.3
More info.
F5

New
Traffix SDC contains a vulnerability that allows a remote attacker to bypass authentication and gain unauthorized access to sensitive information or privilege escalation. CVSSv3 score of 9.8
No patches yet.
More info.
Traffix SDC contains a vulnerability in Apache Tomcat that allows a remote attacker to gain access to the information leaking from a previous request/response. CVSSv3 score of 5.3
No patches yet.
More info.
NetApp

New
NetApp has published 10 new bulletins identifying vulnerabilities in third-party software included in their products. Highest CVSSv3 score of 9.8
No patches yet.
More info.
PRODUCT

GUARDED
This alert state represents the return towards normalisation of an alert state, indicating that there was a higher alert state due to a product vulnerability during the previous few days.
PRODUCT

INCREASED
This alert state indicates that a product vulnerability has been identified within the last few days. The vulnerability is either difficult to exploit, or if exploited, results in reduced impact to the target system.
PRODUCT

HIGH
This alert state indicates a more serious vulnerability which is exploitable.
PRODUCT

CRITICAL
This alert state indicates a significant threat to the product, where exploits exist or where the vulnerability is potentially devastating.

NEW
NEW
This bottom descriptor is used with a vulnerability which has been identified in the last 24 hours, with no patch or exploit. It will typically be paired with Increased.

+24hrs
+24hrs
This bottom descriptor is used with Indicates an alert state which has been present for more than 24 hours. It will typically be paired with Guarded, and could be changed to +48hr for an item that came out as Critical.

Patch
PATCH
This bottom descriptor indicates that patches are available for vulnerabilities, whether it is the initial report or a patch of a vulnerability that had been previously reported. It could be paired with Increased or High, and on rare occasions Critical.

Exploit
EXPLOIT
This bottom descriptor indicates that an Exploit has been made public for a vulnerability, whether it is the initial report or an indication of an exploit for a vulnerability that had been previously reported. It could be paired with High or Critical.

ZERO
ZERO DAY
This bottom descriptor indicates that a vulnerability has been announced without the opportunity for the vendor to patch it before the details are made known. It could be paired with High or Critical.