Skip to main content

Vulnerability Details

The Computer Network Defence Alert State is designed to give a granular and more dynamic visualisation of the current cyber security threat.  Any increase in an alert state will occur immediately an issue is detected and it will drop again by one level each working day

Our rationale for this agility is that vulnerabilities often occur in clusters, therefore reducing the alert state again quickly, will increase your visibility of new threats to the same product. Daily reductions in alert state occur at approximately 1900 GMT/UTC. Significant vulnerabilities may remain for longer. Vulnerabilities on this page are predominantly remotely executable, very few local server exploits will be shown.

Monday 18 March 2024



IBM

Patch

IBM Cloud Pak for Data Scheduling contains vulnerable third-party software packages.  Highest CVSSv3 score of 9.8
More info. And here.


PaperCut

Patch

The Monthly Security Bulletin is out for PaperCut NG/MF.  Highest CVSSv3 score of 8.6
More info.


Canon

Patch

A potential buffer overflow vulnerability exists in the WSD protocol process for Canon Laser Printers and Small Office Multifunctional Printers. A remote attacker can execute arbitrary code, or cause a DoS.
More info.


Linux

Patch

SUSE has updated the kernel. More info.


  

Friday 15 March 2024


Juniper

Patch

Multiple vulnerabilities have been resolved in Juniper Secure Analytics.  Highest CVSSv3 score of 9.8
More info.


Microsoft

Patch

Microsoft has updated Edge to fix chromium-based vulnerabilities as well as 3 Edge-specific vulnerabilities.
More info.


Dell

Patch

Dell VxRail remediation fixes multiple security vulnerabilities that could be exploited. Dell rates this Critical.
More info.


HPE

Patch

Security vulnerabilities have been identified in Unified OSS Console Assurance Monitoring that allow a remote attacker to achieve arbitrary code execution and DoS. Highest CVSSv3 score of 8.1
More info.


NetApp

New

NetApp has published 10 new bulletins identifying vulnerabilities in third-party software included in their products.  Highest CVSSv3 score of 9.8
Only 1 has patches.
More info.


Mitel

Patch

An Improper Configuration vulnerability has been identified in the BluStar component of Mitel InAttend and Mitel CMG which allows a remote attacker to gain access to sensitive information, modify system configuration or execute arbitrary commands. CVSSv3 score of 9.8
More info.


Linux

Patch

SUSE has updated the kernel. More info.


  

Thursday 14 March 2024


Cisco

Patch

Cisco has published 7 new security bulletins. Highest CVSSv3 score of 7.8.
More info.

A vulnerability in theDHCPv4 server feature of IOS XR Software could allow a remote attacker to trigger a crash of the dhcpd process, resulting in a DoS. CVSSv3 score of 5.3
More info.

Multiple vulnerabilities in the IP ACL processing in the ingress direction on MPLS and Pseudowire interfaces of IOS XR Software could allow a remote attacker to bypass a configured ACL. CVSSv3 score of 5.8
More info.


Arcserve

Patch

Multiple vulnerabilities exist in Arcserve Unified Data Protection (UDP) allowing authentication bypass and DoS. Highest CVSSv3 score of 9.8
More info. And here. And here.


Apache

Patch

Apache Tomcat has been updated to fix 2 DoS vulnerabilities.
More info. And here.


BD

Patch

BD has published security updates for third-party software for BACTEC FX, ViperLT, and BACTEC FX40.
The bulletins are dated 30 and 31 March.
More info.


Mitsubishi
Electric

New

Information disclosure and RCE vulnerabilities exist in MELSEC-Q/L Series CPU modules. A remote attacker can read arbitrary information or execute malicious code by sending a specially crafted packet. CVSSv3 score of 9.8
A patch will be released in the near future.
More info.


IBM

Patch

Multple vulnerabilities affect IBM Sterling Secure Proxy. Highest CVSSv3 score of 9.4
More info.


Linux

Patch

Red Hat has updated the kernel, kernel-rt, and kpatch. More info.


  

Wednesday 13 March 2024


Microsoft

Patch

Microsoft Monthly Patches include 61 vulnerabilities. Two are rated Critical. Highest CVSSv3 score of 9.8
More info. And here.


Adobe

Patch

Adobe Monthly Patches include updates for Experience Manager, Premier Pro, ColdFusion, Bridge, Lightroom, and Animate. Highest CVSSv3 score of 8.6
More info.


Fortinet

Patch

Fortinet Monthly Patches include 8 bulletins for FortiOS and FortiProxy, FortiPortal, FortiWLM MEA for FortiManager, and FortiClientEMS.  Highest CVSSv3 score of 9.3
More info.

OoB write and Stack-based Buffer Overflow vulnerabilities in FortiOS & FortiProxy captive portal may allow an attacker who has access to captive portal to execute arbitrary code or commands via specially crafted HTTP requests. CVSSv3 score of 9.3
More info.

An improper neutralization of formula elements in a CSV File vulnerability in FortiClientEMS may allow a remote attacker to execute arbitrary commands on the admin workstation via creating malicious log entries with crafted requests to the server. CVSSv3 score of 8.7
More info.
 
An improper access control vulnerability in FortiWLM MEA for FortiManager may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests. CVSSv3 score of 7.7
More info.

A SQL Injection vulnerability in FortiClientEMS may allow a remote attacker to execute unauthorized code or commands via specifically crafted requests. CVSSv3 score of 9.3
More info.


Google

Patch

Google has updated Chrome for Desktop to fix 3 security vulnerabilities.
More info.


Bosch

Patch

RPS and RPS-LITE operator and communication process contain several vulnerabilities, included hardcoded credentials.  Highest CVSSv3 score of 7.3
More info.


Citrix

Patch

SD-WAN contains a vulnerability that allows a remote attacker to disclose limited information from the appliance.  CVSSv3 score of 6.5
This requires access to the management interface.
More info.


Hitachi

Patch

Several vulnerabilities affect Cosminexus products.
More info.


IBM

Patch

IBM QRadar SIEM includes vulnerable components. Highest CVSSv3 score of 9.1
More info.

Vulnerabilities were addressed in IBM Observability with Instana. CVSSv3 score of 9.8
More info. And here.


Intel

Patch

A security vulnerability in the bus lock regulator mechanism for some processors may allow DoS. CVSSv3 score of 6.5
More info.

HPE ProLiant DL/ML and MicroServer are affected. More info.

HP is affected as well.  More info.


Linux

Patch

SUSE has updated the kernel. More info.
OpenSUSE has updated the kernel. More info.


  

Tuesday 12 March 2024


Siemens

Patch

Siemens Monthly Patches are out, with 11 new bulletins and 11 updated bulletins. Of the new bulletins, highest CVSSv3 score of 10
More info.

RUGGEDCOM APE 1808 contains Fortigate NGFW, which has been updated to fix several vulnerabilities. Highest CVSSv3 score of 9.8
More info. And here.

Several products used in Sinteso EN and Cerberus PRO EN Fire Protection Systems contain buffer overflow vulnerabilities in the network communication stack. Highest CVSSv3 score of 10.
More info.

SENTRON 3KC ATC6 Expansion Module Ethernet exposes an unused, unstable http service at port 80/tcp on the Modbus-TCP Ethernet. CVSSv3 score of 7.5
More info.

SIMATIC RF160B contain multiple vulnerabilities of different types that could allow an attacker to execute arbitrary code. Highest CVSSv3 score of 9.8
More info.

SINEMA Remote Connect Server before V3.2 is affected by multiple vulnerabilities. Highest CVSSv3 score of 9.8
More info.


Schneider
Electric

Patch

Schneider Electric Monthly Patches are out, with 2 new bulletins and 3 updated bulletins.  Of the new bulletins, highest CVSSv3 score of 9.8
More info.

Multiple vulnerabilities exist in Easergy T200 products. Highest CVSSv3 score of 9.8
More info.


SAP

Patch

SAP Security Patch Day includes 10 new Security Notes and 2 updated Security Notes. There are updates for NetWeaver, NetWeaver AS Java, NetWeaver AS ABAP, NetWeaver Process Integration, Build Apps, HANA XS Classic and Advanced, BusinessObjects Business Intelligence Platform, Fiori Front End Server and ABAP Platform.  Of the new Notes, Highest CVSSv3 score of 9.4.  One of the updated notes has a CVSSv3 score of 10.
More info.


Phoenix
Contact

Patch

Multiple vulnerabilities have been discovered in the Firmware of CHARX SEC charge controllers. Highest CVSSv3 score of 9.8
More info. And here.


Synology

Patch

Multiple vulnerabilities exist in Synology Router Manage,r that allows a remote attacker to inject arbitrary web script or HTML, among other authenticated vulnerabilities.
More info.


Linux

Patch

Oracle Linux has updated the kernel. More info.
Ubuntu has updated the kernel. More info.


  

Monday 11 March 2024


Dell

Patch

Dell NetWorker vProxy remediation is available for multiple security vulnerabilities that could be exploited. Dell rates this Critical.
More info.


HPE

Patch

Vulnerabilities have been identified in HPE Unified OSS Console Assurance Monitoring that could allow a remote attacker to allow DoS, unauthorized data access and remote disclosure of sensitive information. Highest CVSSv3 score of 8.1
More info.


Digi

New

Digi products are vulnerabile to the Terrapin attack in SSH. CVSSv3 score of 4.9
Manual removal of vulnerabile ciphers/MACs until updates are available.
More info.


  

Friday 08 March 2024


Apple

Exploit

Apple has published updates for Safari, macOS, tvOS, watchOS, and visionOS. At least one vulnerability in each of these products is being actively exploited.
More info.


Chirp
Systems

New

Chirp Access contains a Hard-coded Credentials vulnerability, the software improperly stores credentials within its source code, potentially exposing sensitive information to unauthorized access. CVSSv3 score of 9.1
No response from vendor.
More info.


Microsoft

Patch

Microsoft has updated Edge with the latest chromium fixes.
More info.


QNAP

Patch

Multiple vulnerabilities have been reported to affect certain QNAP operating system and applications including an improper authentication vulnerability, allowing a remote attacker to compromise the security of the system via a network. QNAP rates this Critical.
More info.


NetApp

New

NetApp has published 13 new bulletins identifying vulnerabilities in third-party software included in their products. Highest CVSSv3 score of 9.8
No patches yet.
More info.


Linux

Patch

Ubuntu has updated the kernel. More info.


  

Thursday 07 March 2024


Cisco

Patch

Cisco has published 7 new bulletins, Highest CVSSv3 score of 8.2
More info.

A vulnerability in the SAML authentication process of Cisco Secure Client could allow a remote attacker to conduct a CRLF injection attack against a user. CVSSv3 score of 8.2
More info.


Pilz

Patch

The PITreader product family contains the 3rd-party-component uC/HTTP to implement the web server functionality. uC/HTTP is affected by multiple vulnerabilities. These vulnerabilities may enable a remote attacker to gain full control over the system. CVSSv3 score of 9.8.
More info. (registration required)


IBM

Patch

Vulnerabilities have been identified with the DS8900F Hardware Management Console. Highest CVSSv3 score of 9.8
More info.

An execute arbitrary code vulnerability in Apache Axis, an authentication bypass vulnerability in Apache Shiro, and several vulnerabilities in SnakeYAML affect IBM WebSphere Service Registry and Repository. Highest CVSSv3 score of 9.8
More info.


Artica

New

Artica Proxy contains several vulnerabilities reported by KoreLogic. No patches.
More info.


Bosch

Patch

Multiple Git for Windows vulnerabilities have been discovered in DIVAR IP System Manager, affecting several Bosch DIVAR IP all-in-one models.. Highest CVSSv3 score of 9.8
More info.


Linux

Patch

Oracle Linux has updated the kernel. More info.
Ubuntu has updated the kernel. More info.


  

Wednesday 06 March 2024


Apple

0-Day

Apple has published updates for iOS fixing 4 vulnerabilities that allow privilege escalation, 2 of which have been exploited.
More info. And here.


Nice

Patch

Linear eMerge E3-Series contains multiple vulnerabilities, including OS command injection, Unrestricted Upload of File with Dangerous Type, Incorrect Authorization, Insufficiently Protected Credentials, Use of Hard-coded Credentials, and Out-of-bounds Write, among others. Highest CVSSv3 score of 10.
More info.


Sophos

Patch

UTM has been updated to fix a Tinyproxy vulnerability and several curl vulnerabilities, dating back to 2021. Highest CVSSv3 score of 7.5
More info.


Moxa

Patch

A stack-based buffer overflow in the built-in web server in Moxa NPort W2150A/W2250A allows a remote attacker to exploit the vulnerability by sending crafted payload to the web service, resulting in DoS. CVSSv3 score of 8.2
More info.


Bosch

Patch

BVMS contains a Device Adapter service that uses an OpenSSL library containing multiple vulnerabilities. These vulnerabilities could lead to command injection or denial of service. Highest CVSSv3 score of 9.8
More info.


Google

Patch

Google has updated Chrome for Desktop to fix 3 security vulnerabilities, all rated High.
More info.


HPE

Patch

HPE ArubaOS and SD-WAN software contain vulnerabilities that allow a remote attacker to conduct DoS or disclose sensitive information, as well as other vulnerabilities requiring authentication. Highest CVSSv3 score of 7.2
More info. And here.


Linux

Patch

SUSE has updated the linux firmware. More info.
Red Hat has updated the kernel. More info.
Amazon Linux 2023 has updated the kernel. More info.


  

Tuesday 05 March 2024


Google

Patch

Google Monthly Patches for Android are out, with 13 vulnerabilities with  2 rated Critical and 11 rated High, as well as patches for AMLogic, Arm, MediaTek, and Qualcomm.  Highest CVSSv3 score of 9.8
More info.

Google Monthly Patches for Pixel include 52 vulnerabilities, 16 rated Critical, 18 rated High, and 18 rated Moderate.
More info.


Samsung

Patch

Samsung Monthly Patches include 9 vulnerabilities plus Google Android updates.
More info.


Mozilla

Patch

Thunderbird leaks encrypted email subjects to other conversations. CVSSv3 score of 5.7
More info.


Squid

Patch

Due to an Uncontrolled Recursion bug, Squid may be vulnerable to a DoS against HTTP Chunked decoder. CVSSv3 score of 8.6
More info.


Linux

Patch

Red Hat has updated the linux firmware. More info.
Mageia has updated the kernel. More info.
Amazon Linux has updated the kernel. More info.
Amazon Linux 2 has updated the kernel. More info.


  

Monday 04 March 2024


Qualcomm

Patch

Qualcomm Monthly Patches are out, with 16 vulnerabilities, 2 rated Critical, 12 rated High, and 2 rated Medium.  Highest CVSSv3 score of 9.8
More info.


MediaTek

Patch

MediaTek Monthly Patches include 21 vulnerabilities, 12 rated High and 9 rated Medium.
More info.


Hikvision

Patch

HikCentral Professional has been patched to fix 2 vulnerabilities, the worst of which allows a remote attacker to access URLs without authentication. Highest CVSSv3 score of 7.5
More info.


Dell

Patch

Dell PowerScale OneFS remediation is available for multiple security vulnerabilities in node firmware that could be exploited by malicious users to compromise the affected system. Dell rates this Critical.
More info.

Dell EMC Networking remediation is available for Eclypsium security vulnerabilities from Jan 2023 that could be exploited by malicious users to compromise the affected systems. Highest CVSSv3 score of 9.9
More info.

Dell PowerScale OneFS remediation is available for proprietary code vulnerabilities that could be exploited by malicious users to compromise the affected system. Dell rated this High.  Highest CVSSv3 score of 7.4
More info.


Xerox

Patch

Xerox has published security updates for FreeFlow Print Servers.
More info.


IBM

Patch

IBM Cloud Pak for Network Automation fixes multiple security vulnerabilities. Highest CVSSv3 score of 9.8
More info.

IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to multiple Base OS issues. Highest CVSSv3 score of 9.8
More info.

QRadar Suite Software includes components with known vulnerabilities. Highest CVSSv3 score of 9.8
More info.

Node.js IP package code execution vulnerability affects Cloud Pak System on Power. CVSSv3 score of 9.8
More info.


  

Friday 01 March 2024


SolarWinds

Patch

SolarWinds has updated Security Event Manager (SEM) to fix vulnerabilities in third-party software as well as one vulnerability in SEM. Highest CVSSv3 score of 9.8
More info.


Microsoft

Patch

Microsoft has updated Edge with the latest chromium patches and one patch for an Edge specific vulnerability.
More info.


NetApp

Patch

NetApp has published 5 new bulletins identifying vulnerabilities in third-party software included in their products.  Highest CVSSv3 score of 8.1
Three have patches.
More info.


Ivanti

Patch

MobileIron line products, including EPMM Reporting DB and N-MDM/Cloud, use PostgreSQL and are vulnerable to the JDBC Driver recent vulnerability.  CVSSv3 score of 10.
More info.


Linux

Patch

Oracle Linux has updated the kernel. More info.


  

PRODUCT

GUARDED 

This alert state represents the return towards normalisation of an alert state, indicating that there was a higher alert state due to a product vulnerability during the previous few days.


PRODUCT

INCREASED 

This alert state indicates that a product vulnerability has been identified within the last few days. The vulnerability is either difficult to exploit, or if exploited, results in reduced impact to the target system.


PRODUCT

HIGH 

This alert state indicates a more serious vulnerability which is exploitable.


PRODUCT

CRITICAL 

This alert state indicates a significant threat to the product, where exploits exist or where the vulnerability is potentially devastating.


NEW

NEW 

This bottom descriptor is used with a vulnerability which has been identified in the last 24 hours, with no patch or exploit. It will typically be paired with Increased.


+24hrs

+24hrs

 This bottom descriptor is used with Indicates an alert state which has been present for more than 24 hours. It will typically be paired with Guarded, and could be changed to +48hr for an item that came out as Critical.


Patch

PATCH 

This bottom descriptor indicates that patches are available for vulnerabilities, whether it is the initial report or a patch of a vulnerability that had been previously reported.  It could be paired with Increased or High, and on rare occasions Critical.


Exploit

EXPLOIT 

This bottom descriptor indicates that an Exploit has been made public for a vulnerability, whether it is the initial report or an indication of an exploit for a vulnerability that had been previously reported.  It could be paired with High or Critical.


ZERO

ZERO DAY 

This bottom descriptor indicates that a vulnerability has been announced without the opportunity for the vendor to patch it before the details are made known.  It could be paired with High or Critical.