Monthly
Full device takeover in Juniper Networks Support Insights Virtual Lightweight Collector (vLWC) before 3.0.94 via hardcoded default credentials. The vLWC software ships with an unchangeable initial password for a high-privileged account with no enforced password change during provisioning, enabling unauthenticated remote attackers to gain complete system control. CVSS v4.0 score 9.3 (Critical). No public exploit identified at time of analysis.
IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.3 contain a vulnerability in security settings administration that could allow authenticated attackers with high privileges to bypass expected security controls and gain unauthorized access to sensitive information. The vulnerability affects a critical administrative interface and, while it requires local access and high privileges to exploit, could enable lateral privilege escalation or information disclosure within enterprise environments. No evidence of active exploitation or public proof-of-concept has been reported, but a vendor patch is available.
GoHarbor Harbor versions 2.15.0 and earlier contain hardcoded default credentials that allow unauthenticated attackers to gain administrative access to the web UI using the default username 'admin' and password 'Harbor12345'. This vulnerability enables complete compromise of the container registry, including image manipulation, deletion, and unauthorized access to stored artifacts. The issue has been documented in GitHub issues and pull requests within the Harbor project, indicating active awareness and remediation efforts by the development team.
Improper authorization in Sz Boot Parent up to version 1.3.2-beta allows authenticated attackers to reset arbitrary user passwords by manipulating the userId parameter in the password reset API endpoint. Public exploit code exists for this vulnerability, enabling remote password reset attacks against any user account. Upgrade to version 1.3.3-beta or later to remediate.
Default password auth bypass in MLflow ML platform. EPSS 1.4%.
Default credentials in Tenda W30E V2 router firmware through V16.01.0.19. Known default password enables full administrative access.
Vivotek IP7137 camera ships without any admin password by default, and users are not informed they should set one. End-of-life product with no expected fix – all deployed cameras are likely exposed.
A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in `admin` account. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35, and older. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was determined in Cudy WR1200EA 2.3.7-20250113-121810. Rated low severity (CVSS 2.0). No vendor patch available.
Full device takeover in Juniper Networks Support Insights Virtual Lightweight Collector (vLWC) before 3.0.94 via hardcoded default credentials. The vLWC software ships with an unchangeable initial password for a high-privileged account with no enforced password change during provisioning, enabling unauthenticated remote attackers to gain complete system control. CVSS v4.0 score 9.3 (Critical). No public exploit identified at time of analysis.
IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.3 contain a vulnerability in security settings administration that could allow authenticated attackers with high privileges to bypass expected security controls and gain unauthorized access to sensitive information. The vulnerability affects a critical administrative interface and, while it requires local access and high privileges to exploit, could enable lateral privilege escalation or information disclosure within enterprise environments. No evidence of active exploitation or public proof-of-concept has been reported, but a vendor patch is available.
GoHarbor Harbor versions 2.15.0 and earlier contain hardcoded default credentials that allow unauthenticated attackers to gain administrative access to the web UI using the default username 'admin' and password 'Harbor12345'. This vulnerability enables complete compromise of the container registry, including image manipulation, deletion, and unauthorized access to stored artifacts. The issue has been documented in GitHub issues and pull requests within the Harbor project, indicating active awareness and remediation efforts by the development team.
Improper authorization in Sz Boot Parent up to version 1.3.2-beta allows authenticated attackers to reset arbitrary user passwords by manipulating the userId parameter in the password reset API endpoint. Public exploit code exists for this vulnerability, enabling remote password reset attacks against any user account. Upgrade to version 1.3.3-beta or later to remediate.
Default password auth bypass in MLflow ML platform. EPSS 1.4%.
Default credentials in Tenda W30E V2 router firmware through V16.01.0.19. Known default password enables full administrative access.
Vivotek IP7137 camera ships without any admin password by default, and users are not informed they should set one. End-of-life product with no expected fix – all deployed cameras are likely exposed.
A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in `admin` account. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35, and older. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was determined in Cudy WR1200EA 2.3.7-20250113-121810. Rated low severity (CVSS 2.0). No vendor patch available.