OS command injection in Microchip TimeProvider 4100 Grandmaster (firmware versions before 2.5) allows authenticated attackers on adjacent networks to execute arbitrary system commands with high privileges, leading to complete device compromise. The vulnerability requires low attack complexity and low privileges, with exploitation probability at 0.28% (EPSS), indicating moderate real-world risk. No public exploit identified at time of analysis, but the adjacent network requirement and low complexity make this readily exploitable in targeted attacks against time synchronization infrastructure.
OS command injection in Microchip TimeProvider 4100 Grandmaster allows authenticated adjacent network attackers to execute arbitrary system commands with elevated privileges on firmware versions prior to 2.5. The vulnerability requires low attack complexity and low privileges, enabling complete compromise of device confidentiality, integrity, and availability. EPSS exploitation probability is low (0.28%, 51st percentile) with no public exploit identified at time of analysis, though the straightforward attack vector presents significant risk to network time infrastructure in enterprise environments.
Authentication bypass in Ascertia SigningHub v8.6.8 lets remote unauthenticated attackers brute-force the One-Time Password (OTP) verification endpoint because it enforces no rate limiting, allowing them to defeat the second verification factor and gain access to signing accounts. The flaw is tagged as an Authentication Bypass and carries a high CVSS of 8.1, though the AC:H metric reflects that success depends on iterating through the OTP keyspace. No CISA KEV listing exists and EPSS is modest (0.46%, 37th percentile), indicating no confirmed active exploitation, but a CVE-named public GitHub repository referenced by NVD suggests exploit details may be circulating.
Denial of service in Ascertia SigningHub v8.6.8 stems from a missing rate limit on the /Home/UploadStreamDocument endpoint, letting attackers flood the server with an excessive number of file uploads until resources are exhausted and the e-signature service becomes unavailable. The CVSS vector marks it network-reachable and unauthenticated (PR:N) with high availability impact but no confidentiality or integrity effect. A GitHub repository (saykino/CVE-2025-56223) associated with the CVE indicates publicly available exploit code exists; the flaw is not in CISA KEV and EPSS exploitation probability is modest at 0.54%.
Denial-of-analysis in CAPEv2, the open-source malware analysis sandbox, lets anyone able to submit a sample sabotage the platform's own reporting pipeline. A crafted sample that emits deeply nested or oversized behavior data trips MongoDB BSON size limits or orjson recursion errors in reporting/mongodb.py and reporting/jsondump.py, causing the behavioral report to be truncated or dropped entirely. Rated CVSS 7.5 (availability-only); EPSS is modest at 0.39% (31st percentile) and there is no public exploit identified at time of analysis, though the vector is trivial for anyone who can run a sample.
Uncontrolled account creation in Ascertia SigningHub v8.6.8 allows an attacker to repeatedly add user accounts with no rate limiting, driving resource exhaustion and a denial-of-service condition on the e-signature platform. The flaw stems from improper access control (CWE-284) around the account-provisioning function and is exploitable over the network by a low-privileged actor per the CVSS vector (PR:L). Publicly available exploit code exists (GitHub saykino/CVE-2025-56219), but there is no confirmed active exploitation and EPSS remains low at 0.37% (29th percentile).
SQL injection in Microchip TimeProvider 4100 Grandmaster (firmware <2.5) allows adjacent network attackers with low-level privileges to achieve high integrity and availability impact across system and vulnerable components. EPSS exploitation probability is low (0.03%, 9th percentile) with no public exploit identified at time of analysis. Authentication requirements indicate PR:L (low privileges required) per CVSS vector. Attack complexity is low but requires present attack timing conditions (AT:P).
Authorization bypass via user-controlled key in ACE Center (VHS Electronic Software Ltd. Co.) allows a locally-authenticated low-privileged user to exploit trusted identifiers and access sensitive resources beyond their authorization level. Affected versions span 3.10.100.1768 through 3.10.161.2255, with high confidentiality impact (C:H) but no integrity or availability effect per the CVSS vector. No public exploit exists and EPSS sits at 0.02% (5th percentile), indicating no observed widespread exploitation at time of analysis.
Kernel crash in Linux kernel Cadence QSPI driver (cadence-quadspi) allows authenticated local attackers with moderate privileges to cause denial of service by unbinding the driver during active indirect read or write operations. The vulnerability affects Linux kernel versions including 6.17-rc1 through rc4 and potentially earlier versions; exploitation requires root access to force device removal, but the EPSS score of 0.01% indicates minimal real-world exploitation probability despite the availability of upstream fixes in stable kernel branches.
In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID Per UVC 1.1+ specification 3.7.2, units and terminals must have a non-zero unique ID. ``` Each Unit and Terminal within the video function is assigned a unique identification number, the Unit ID (UID) or Terminal ID (TID), contained in the bUnitID or bTerminalID field of the descriptor. The value 0x00 is reserved for undefined ID, ``` If we add a new entity with id 0 or a duplicated ID, it will be marked as UVC_INVALID_ENTITY_ID. In a previous attempt commit 3dd075fe8ebb ("media: uvcvideo: Require entities to have a non-zero unique ID"), we ignored all the invalid units, this broke a lot of non-compatible cameras. Hopefully we are more lucky this time. This also prevents some syzkaller reproducers from triggering warnings due to a chain of entities referring to themselves. In one particular case, an Output Unit is connected to an Input Unit, both with the same ID of 1. But when looking up for the source ID of the Output Unit, that same entity is found instead of the input entity, which leads to such warnings. In another case, a backward chain was considered finished as the source ID was 0. Later on, that entity was found, but its pads were not valid. Here is a sample stack trace for one of those cases. [ 20.650953] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 20.830206] usb 1-1: Using ep0 maxpacket: 8 [ 20.833501] usb 1-1: config 0 descriptor?? [ 21.038518] usb 1-1: string descriptor 0 read error: -71 [ 21.038893] usb 1-1: Found UVC 0.00 device <unnamed> (2833:0201) [ 21.039299] uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized! [ 21.041583] uvcvideo 1-1:0.0: Entity type for entity Input 1 was not initialized! [ 21.042218] ------------[ cut here ]------------ [ 21.042536] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1147 media_create_pad_link+0x2c4/0x2e0 [ 21.043195] Modules linked in: [ 21.043535] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444 [ 21.044101] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 [ 21.044639] Workqueue: usb_hub_wq hub_event [ 21.045100] RIP: 0010:media_create_pad_link+0x2c4/0x2e0 [ 21.045508] Code: fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 0f 0b eb 0a 0f 0b eb 06 <0f> 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66 2e 0f 1f 84 00 00 00 00 [ 21.046801] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246 [ 21.047227] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccf1 [ 21.047719] RDX: 000000000000007b RSI: 0000000000000000 RDI: ffff888004313290 [ 21.048241] RBP: ffff888004313290 R08: 0001ffffffffffff R09: 0000000000000000 [ 21.048701] R10: 0000000000000013 R11: 0001888004313290 R12: 0000000000000003 [ 21.049138] R13: ffff888004313080 R14: ffff888004313080 R15: 0000000000000000 [ 21.049648] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000 [ 21.050271] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 21.050688] CR2: 0000592cc27635b0 CR3: 000000000431c000 CR4: 0000000000750ef0 [ 21.051136] PKRU: 55555554 [ 21.051331] Call Trace: [ 21.051480] <TASK> [ 21.051611] ? __warn+0xc4/0x210 [ 21.051861] ? media_create_pad_link+0x2c4/0x2e0 [ 21.052252] ? report_bug+0x11b/0x1a0 [ 21.052540] ? trace_hardirqs_on+0x31/0x40 [ 21.052901] ? handle_bug+0x3d/0x70 [ 21.053197] ? exc_invalid_op+0x1a/0x50 [ 21.053511] ? asm_exc_invalid_op+0x1a/0x20 [ 21.053924] ? media_create_pad_link+0x91/0x2e0 [ 21.054364] ? media_create_pad_link+0x2c4/0x2e0 [ 21.054834] ? media_create_pad_link+0x91/0x2e0 [ 21.055131] ? _raw_spin_unlock+0x1e/0x40 [ 21.055441] ? __v4l2_device_register_subdev+0x202/0x210 [ 21.055837] uvc_mc_register_entities+0x358/0x400 [ 21.056144] uvc_register_chains+0x1 ---truncated---