Skip to main content

Vulnerability Details

The Computer Network Defence Alert State is designed to give a granular and more dynamic visualisation of the current cyber security threat.  Any increase in an alert state will occur immediately an issue is detected and it will drop again by one level each working day

Our rationale for this agility is that vulnerabilities often occur in clusters, therefore reducing the alert state again quickly, will increase your visibility of new threats to the same product. Daily reductions in alert state occur at approximately 1900 GMT/UTC. Significant vulnerabilities may remain for longer. Vulnerabilities on this page are predominantly remotely executable, very few local server exploits will be shown.

Tuesday 06 May 2025


Google

Patch

Monthly Patches are out for Android, with 29 vulnerabilities, all rated High, plus Imagination Technologies, Arm, MediaTek, and Qualcomm updates.
More info.


TCMAN

Patch

GIM v11 has been updated to fix 6 security vulnerabilities.  Highest CVSSv4 score of 9.3
More info.


IBM

Patch

IBM has published a Critical bulletin for Business Automation Insights.
More info.


Monday 05 May 2025


Qualcomm

Patch

Monthly Patches are out for Qualcomm, with 12 vulnerabilities, 1 rated Critical and the rest High, plus open source software updates. Highest CVSSv3 score of 8.2
More info.


MediaTek

Patch

MediaTek has published Monthly Patches with 6 CVEs, 1 rated High and 5 rated Medium.  Highest CVSSv4 score of 7.5.
More info.


IBM

Patch

IBM has published Critical bulletins for Cloud Pak for Business Automation, Cloud Pak for Network Automation, Cloud Pak System, Watson for Speech Services Cartridge, Planning Analytics Cartridge, and watsonx Orchestrate Cartridge.
More info.


NetApp

New

NetApp has published 10 new bulletins identifyng vulnerabilities in third-party software included in their products. Highest CVSSv3 score of 8.7
No patches yet.
More info.


Linux

Patch

Mageia has updated the kernel. More info.


Thursday 01 May 2025


Dell

Patch

Dell has published Critical bulletins for APEX Cloud Platform and VxRail.
More info.


IBM

Patch

IBM has published a Critical bulletin for Cognos Analytics.
More info.


Linux

Patch

Oracle Linux has updated the kernel. More info.


Wednesday 30 April 2025


Google

Patch

Google has updated Chrome for Desktop to fix 8 security vulnerabilities.
More info.


Mozilla

Patch

Mozilla has published security updates for Thunderbird, Thunderbird ESR, Firefox, and Firefox ESR, all rated High.
More info.


Tenable

Patch

Tenable Identity Exposure has been updated to fix vulnerabiltiies in third-party software. Highest CVSSv3 score of 10.
More info.


Splunk

Patch

Splunk remedied vulnerabilities in third-party software in Splunk User Behavior Analytics.
More info.


IBM

Patch

IBM has published Critical bulletins for SAN Volume Controller, Storwize, Spectrum Virtualize, and FlashSystem.
More info.


Linux

Patch

Red Hat has updated the kernel rt. More info.
Amazon Linux, Amazon Linux 2, and Amazon Linux 2023 have updated the kernel. More info.


Tuesday 29 April 2025


Apache

Patch

Tomcat contains an incorrect error handling vulnerability for some invalid HTTP priority headers could result in a DoS.
More info.


SICK

Patch

SICK has identified a DoS vulnerability in picoScan and multiScan. CVSSv3 score of 5.3
More info.

SICK has found two vulnerabilities that affect the SICK Flexi Compact. Highest CVSSv3 score of 7.5
More info.


PowerDNS

Patch

PowerDNS DNSdist contains an emergency release fixing a security issue that allows a remote attacker to cause a DoS.
More info.


Ribbon
Communications

Patch

Ribbon Communications Apollo has been updated to fix several vulnerabilities, including Use of Hard-coded Credentials.
More info.


IBM

Patch

IBM has published Critical bulletins for Operational Decision Manager, Cloud Transformation Advisor, Cloud Pak for Security, Rapid Infrastructure Automation, API Connect, and Cloud Pak for Business Automation.
More info.


Monday 28 April 2025


SAP

Exploit

SAP has released out-of-band emergency NetWeaver updates to fix a suspected RCE zero-day flaw actively exploited to hijack servers. CVSSv3 score of 10.
More info. And here.


Wiesemann
& Theis

Patch

Com-Server firmware supports the insecure TLS 1.0 and TLS 1.1 protocols, which are susceptible to MitM attacks. CVSSv3 score of 9.1
More info.


NetApp

New

NetApp has published 10 new bulletins identifying vulnerabilities in third-party software included in their products.  Highest CVSSv3 score of 10.
No patches yet.
More info.


IBM

Patch

IBM has published Critical bulletins for CICS TX Advanced and QRadar SIEM.
More info.


Linux

Patch

Debian has updated the kernel. More info.


Friday 25 April 2025


Microsoft

Patch

Microsoft has updated Edge with the latest chromium security fixes.
More info.


Johnson
Controls

Patch

Johnson Controls has updated Software House iSTAR Configuration Utility (ICU) tool to fix a vulnerability that allows a remote attacker to achieve buffer overflow. CVSSv4 score of 9.3
More info. And here.


Nice

New

Nice Linear eMerge E3 contains an OS command injection vulnerability. CVSSv4 score of 9.3
Replace Controller boards if compromised.
More info. And here.


Planet
Technology

Patch

Planet Technology Network Products contain several vulnerabilities, including OS command injection, use of hard-coded credentials, and missing authentication for critical function. Highest CVSSv4 score of 9.3
More info.


Bosch

Patch

Multiple ctrlX OS vulnerabilities exist in Device Admin and Solutions. Highest CVSSv3 score of 7.5
More info.


Mitsubishi
Electric

Patch

A DoS vulnerability exists in the Ethernet function of multiple FA products. CVSSv3 score of 5.9
More info.


Thursday 24 April 2025


HPE

Patch

A security vulnerability in Apache Tomcat has been identified in HPE Telco Service Orchestrator software could allow a remote attacker to achieve RCE. CVSSv3 score of 9.8
More info.

Security vulnerabilities have been identified in "HPE Telco Network Function Virtual Orchestrator" software. Highest CVSSv3 score of 9.1.
More info.


Linux

Patch

Ubuntu has updated the kernel. More info.


Wednesday 23 April 2025


Google

Patch

Google has updated Chrome for desktop to fix one security vulnerability.
More info.

Microsoft is aware. More info.


XWiki

Patch

XWiki contains a vulnerability that allows a remote attacker to escape from the HQL execution context and perform a blind SQL injection. CVSSv4 score of 9.3
More info.


Spring

Patch

A recent fix broke a vulnerability mitigation in Spring Security. CVSSv3 score of 5.3
More info.


Trellix

Patch

Trellix Endpoint Security has been updated to fix a persistent DoS vulnerability.
More info.


CODESYS

Patch

A remote attacker can read static visualization files of the CODESYS WebVisu. CVSSv3 score of 5.3
More info.


Linux

Patch

Ubuntu has updated the kernel. More info.


Tuesday 22 April 2025


Hitachi

Patch

Multiple vulnerabilities have been found in JP1. Highest CVSSv3 score of 8.1
More info.


HPE

Patch

Security vulnerabilities have been identified in HPE UOCAM that could allow a remote attacker to achieve DoS, Remote Buffer Overflow, and RCE. Highest CVSSv3 score of 9.1
More info.


PyTorch

Patch

PyTorch contans a RCE vulnerability. CVSSv4 score of 9.3
More info.


TRUMPF

Patch

TRUMPF products contain a RCE vulnerability in log4net. CVSSv3 score of 9.8
More info.


IBM

Patch

IBM has published Critical bulletins for Power HMC, QRadar Suite, CICS TX Standard, App Connect Enterprise,
More info.


Dell

Patch

Dell has published Critical bulletins for APEX Cloud Platform, SRM, SMR, and PowerStore X.
More info.


Monday 21 April 2025


Microsoft

Patch

Microsoft has updated Edge with the latest chromium updates.
More info.


Tenable

Patch

Nessus has been updated to fix 3rd party software vulnerabilities. Highest CVSSv3 score of 8.1
More info.


ASUS

Patch

An improper authentication control vulnerability exists in certain ASUS router firmware series that can be triggered by a crafted request, potentially leading to unauthorized execution of functions.. CVSSv3 score of 7.5
More info.


Yokogawa

Patch

Yokogawa recorder products have a missing authentication for critical function vulnerability. CVSSv3 score of 9.8
More info. And here.


BD

Patch

BD has published Critical bulletins for IDM, Pyxis, Data Agent, CCE, and Alaris.
More info.


NetApp

New

NetApp has published 10 new bulletins identifying vulnerabilities in third-party software included in their products. Highest CVSSv3 score of 7.5
No patches yet.
More info.


PRODUCT

GUARDED 

This alert state represents the return towards normalisation of an alert state, indicating that there was a higher alert state due to a product vulnerability during the previous few days.


PRODUCT

INCREASED 

This alert state indicates that a product vulnerability has been identified within the last few days. The vulnerability is either difficult to exploit, or if exploited, results in reduced impact to the target system.


PRODUCT

HIGH 

This alert state indicates a more serious vulnerability which is exploitable.


PRODUCT

CRITICAL 

This alert state indicates a significant threat to the product, where exploits exist or where the vulnerability is potentially devastating.


NEW

NEW 

This bottom descriptor is used with a vulnerability which has been identified in the last 24 hours, with no patch or exploit. It will typically be paired with Increased.


+24hrs

+24hrs

 This bottom descriptor is used with Indicates an alert state which has been present for more than 24 hours. It will typically be paired with Guarded, and could be changed to +48hr for an item that came out as Critical.


Patch

PATCH 

This bottom descriptor indicates that patches are available for vulnerabilities, whether it is the initial report or a patch of a vulnerability that had been previously reported.  It could be paired with Increased or High, and on rare occasions Critical.


Exploit

EXPLOIT 

This bottom descriptor indicates that an Exploit has been made public for a vulnerability, whether it is the initial report or an indication of an exploit for a vulnerability that had been previously reported.  It could be paired with High or Critical.


ZERO

ZERO DAY 

This bottom descriptor indicates that a vulnerability has been announced without the opportunity for the vendor to patch it before the details are made known.  It could be paired with High or Critical.