Monthly
Insecure credential storage in PcVue exposes built-in user account passwords to any local attacker with low-privileged filesystem access, across all versions prior to 17.0.0. The credentials are stored unprotected in the project's User directory, recoverable without elevated OS privileges. No public exploit code has been identified at time of analysis, but in OT/SCADA environments where PcVue is deployed, recovered credentials could enable unauthorized control of industrial processes.
Cleartext password storage in Netflix Lemur's user-update service path allows any attacker who gains read access to the Lemur database, its backups, query logs, or read replicas to obtain directly usable plaintext credentials - no offline cracking required. The flaw affects all Lemur deployments running pip/lemur <= 1.9.1 and is triggered exclusively when an administrator resets a user password through the admin-gated PUT /api/1/users/<id> API endpoint. No public exploit is required: the advisory itself contains precise reproduction steps, and the side effect (immediate login failure for affected users) makes the exposure operationally detectable. No KEV listing exists at time of analysis.
Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system.
Authentication bypass in motionEye versions prior to 0.44.0 allows remote attackers to impersonate any user, including the administrator, by setting the client-controlled cookies meye_password_hash and meye_username without ever knowing the plaintext password. The server treats these attacker-controlled values as sufficient authentication material, and because the admin hash is stored in a world-readable file (/etc/motioneye/motion.conf), any local shell user can trivially escalate to admin via the web UI. Publicly available exploit code exists in the GitHub Security Advisory GHSA-r3cw-c95m-wfh9, but there is no public exploit identified beyond the PoC and the issue is not in CISA KEV.
Steeltoe.Configuration.Encryption 4.0.0 through 4.1.0 silently downgrades RSA encryption from OAEP to PKCS#1 v1.5 when operators explicitly configure `encrypt:rsa:algorithm=OAEP`. The root cause is an incorrect BouncyCastle transformation string in `RsaKeyStoreDecryptor.cs` - the `OAEP` branch passed `"RSA/ECB/PKCS1"` to `CipherUtilities.GetCipher()` instead of the correct `"RSA/NONE/OAEPWithSHA1AndMGF1Padding"`, meaning both the `OAEP` and `DEFAULT` settings silently selected the same weaker algorithm. No public exploit is identified at time of analysis, and CVSS scores this at 1.9 (Low) given the high-privilege local attack vector; however, the security consequence is a cryptographic guarantee failure that exposes encrypted configuration secrets to Bleichenbacher-class padding oracle attacks that OAEP was chosen to prevent.
update_disk_psu_baseline.sh requires password in plain text. Rated high severity (CVSS 7.4).
IBM Security QRadar EDR 3.12 through 3.12.24 stores user credentials in plain text which can be read by a local privileged user. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity.
Plaintext credential exposure in GNCC GP5 v7.1.76 allows physically-proximate attackers to capture wireless network credentials by monitoring the device's serial UART interface during routine operations. The device transmits sensitive wireless network information - including network credentials - in cleartext to the serial console, making them trivially readable by anyone with physical access and a UART adapter. No public exploit is identified at time of analysis and no active exploitation is confirmed; however, a researcher-published IoT vulnerability disclosure exists on GitHub detailing the finding.
Heatmiser Wifi Thermostat 1.7 contains a credential disclosure vulnerability that allows unauthenticated attackers to retrieve administrative credentials by accessing the networkSetup.htm page. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
ILM Informatique OpenConcerto 1.7.5 stores sensitive passwords in plaintext, allowing authenticated local users to retrieve embedded credentials with low complexity. The vulnerability enables information disclosure of authentication data accessible via local file access, confirmed by CISA SSVC framework as having partial technical impact but no evidence of active exploitation.
Insecure credential storage in PcVue exposes built-in user account passwords to any local attacker with low-privileged filesystem access, across all versions prior to 17.0.0. The credentials are stored unprotected in the project's User directory, recoverable without elevated OS privileges. No public exploit code has been identified at time of analysis, but in OT/SCADA environments where PcVue is deployed, recovered credentials could enable unauthorized control of industrial processes.
Cleartext password storage in Netflix Lemur's user-update service path allows any attacker who gains read access to the Lemur database, its backups, query logs, or read replicas to obtain directly usable plaintext credentials - no offline cracking required. The flaw affects all Lemur deployments running pip/lemur <= 1.9.1 and is triggered exclusively when an administrator resets a user password through the admin-gated PUT /api/1/users/<id> API endpoint. No public exploit is required: the advisory itself contains precise reproduction steps, and the side effect (immediate login failure for affected users) makes the exposure operationally detectable. No KEV listing exists at time of analysis.
Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system.
Authentication bypass in motionEye versions prior to 0.44.0 allows remote attackers to impersonate any user, including the administrator, by setting the client-controlled cookies meye_password_hash and meye_username without ever knowing the plaintext password. The server treats these attacker-controlled values as sufficient authentication material, and because the admin hash is stored in a world-readable file (/etc/motioneye/motion.conf), any local shell user can trivially escalate to admin via the web UI. Publicly available exploit code exists in the GitHub Security Advisory GHSA-r3cw-c95m-wfh9, but there is no public exploit identified beyond the PoC and the issue is not in CISA KEV.
Steeltoe.Configuration.Encryption 4.0.0 through 4.1.0 silently downgrades RSA encryption from OAEP to PKCS#1 v1.5 when operators explicitly configure `encrypt:rsa:algorithm=OAEP`. The root cause is an incorrect BouncyCastle transformation string in `RsaKeyStoreDecryptor.cs` - the `OAEP` branch passed `"RSA/ECB/PKCS1"` to `CipherUtilities.GetCipher()` instead of the correct `"RSA/NONE/OAEPWithSHA1AndMGF1Padding"`, meaning both the `OAEP` and `DEFAULT` settings silently selected the same weaker algorithm. No public exploit is identified at time of analysis, and CVSS scores this at 1.9 (Low) given the high-privilege local attack vector; however, the security consequence is a cryptographic guarantee failure that exposes encrypted configuration secrets to Bleichenbacher-class padding oracle attacks that OAEP was chosen to prevent.
update_disk_psu_baseline.sh requires password in plain text. Rated high severity (CVSS 7.4).
IBM Security QRadar EDR 3.12 through 3.12.24 stores user credentials in plain text which can be read by a local privileged user. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity.
Plaintext credential exposure in GNCC GP5 v7.1.76 allows physically-proximate attackers to capture wireless network credentials by monitoring the device's serial UART interface during routine operations. The device transmits sensitive wireless network information - including network credentials - in cleartext to the serial console, making them trivially readable by anyone with physical access and a UART adapter. No public exploit is identified at time of analysis and no active exploitation is confirmed; however, a researcher-published IoT vulnerability disclosure exists on GitHub detailing the finding.
Heatmiser Wifi Thermostat 1.7 contains a credential disclosure vulnerability that allows unauthenticated attackers to retrieve administrative credentials by accessing the networkSetup.htm page. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
ILM Informatique OpenConcerto 1.7.5 stores sensitive passwords in plaintext, allowing authenticated local users to retrieve embedded credentials with low complexity. The vulnerability enables information disclosure of authentication data accessible via local file access, confirmed by CISA SSVC framework as having partial technical impact but no evidence of active exploitation.