Critical stack-based buffer overflow vulnerability in the D-Link DIR-816 router (version 1.10CNB05) that allows remote attackers to execute arbitrary code without authentication. A public proof-of-concept exploit is available on GitHub, making this vulnerability actively exploitable. However, D-Link no longer supports this product, meaning no patch will be released.
Critical stack-based buffer overflow vulnerability in D-Link DIR-816 router firmware version 1.10CNB05, affecting the wireless configuration interface (/goform/form2WlanBasicSetup.cgi). A publicly available proof-of-concept exploit exists, allowing remote attackers without authentication to achieve complete system compromise. The vulnerability affects end-of-life products no longer supported by D-Link, making patches unlikely.
Critical stack-based buffer overflow vulnerability in the D-Link DIR-816 router (version 1.10CNB05) that allows remote attackers to achieve full system compromise without authentication. A public proof-of-concept exploit is available on GitHub, and the vulnerability affects end-of-life products no longer supported by D-Link, making this a high-risk issue for organizations still using these devices.
Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unauthenticated remote attackers to upload malicious WAR files and execute arbitrary code with SYSTEM privileges. Multiple public exploits are available (Exploit-DB, Packet Storm), making this a high-risk vulnerability for organizations using this biometric security management software.
User enumeration vulnerability in ZKTeco ZKBioSecurity 3.0 that allows unauthenticated attackers to discover valid usernames through partial character submissions to the authentication endpoint. A public proof-of-concept exploit is available, making this vulnerability actively exploitable, though it has a notably high CVSS score of 9.8 that appears inflated given the actual impact is limited to information disclosure.
Critical insecure file permissions vulnerability in ZKTeco ZKTime.Net 3.0.1.6 that allows unprivileged local users to gain elevated privileges by replacing executable files in the world-writable application directory. Multiple public proof-of-concept exploits are available on Exploit-DB and PacketStorm, making this vulnerability easily exploitable despite requiring local access. While not listed in CISA KEV and lacking current EPSS data, the availability of working exploits and the simplicity of the attack make this a significant risk for organizations using this time and attendance software.