Monthly
TLS certificate verification bypass in Kuma's kuma-dp data plane allows an on-path attacker to intercept the dataplane authentication token and inject a forged bootstrap configuration, effectively taking over the proxy. Affected deployments are Universal mode installations where operators start kuma-dp against an HTTPS control plane without supplying a CA certificate via --ca-cert-file or the KUMA_CONTROL_PLANE_CA_CERT environment variable. Standard Kubernetes installations using kumactl or the official Helm chart are not affected because the mutating admission webhook automatically injects the CA certificate. No public exploit or CISA KEV listing is present at time of analysis; patch releases are available across all supported branches.
TLS certificate verification bypass in Kuma's kumactl CLI tool allows network-adjacent attackers to intercept API tokens via man-in-the-middle attack. When an operator adds an HTTPS control plane profile without supplying --ca-cert-file, kumactl silently disables TLS verification (InsecureSkipVerify=true) and transmits API tokens over the unverified connection. A successful intercept grants the attacker the ability to impersonate the operator and issue privileged commands to the control plane. No public exploit identified at time of analysis; vendor-released patches are available.
Missing SSH host key verification in Dulwich's paramiko vendor module exposes SSH connections to man-in-the-middle interception. The contrib/paramiko_vendor.py module used paramiko's MissingHostKeyPolicy, which silently accepts any server host key without checking it against known_hosts, allowing a network-positioned attacker to impersonate a legitimate SSH Git server. No public exploit has been identified at time of analysis and EPSS sits at 0.14% (4th percentile), but the attack is conceptually straightforward for any attacker with network access between client and server.
Improper certificate validation in Windows Cryptographic Services allows an unauthorized attacker to bypass a security feature over a network.
Privilege escalation in Microsoft's Azure Monitor Agent (specifically the Metrics Extension) lets an unauthenticated attacker on an adjacent network gain elevated privileges by exploiting improper TLS certificate validation (CWE-295). Because the agent fails to properly verify the certificate of the endpoint it communicates with, an attacker positioned on the same broadcast/logical network segment can impersonate a trusted server and hijack the agent's privileged context, yielding high confidentiality, integrity, and availability impact. Microsoft rates it CVSS 8.8; there is currently no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Active Directory certificate-validation path lets an already-authenticated attacker on Windows 10 (1607/1809) and Windows Server 2016 through 2025 (including Server Core) improperly validate a certificate to gain higher privileges. Microsoft reported and patched the flaw (CWE-295), but there is no public exploit identified at time of analysis and it is not on CISA KEV. The CVSS 7.8 vector (AV:L/PR:L) confirms an authenticated local attacker with full confidentiality, integrity, and availability impact upon success.
Improper TLS certificate validation in Fortinet FortiClientEMS (Endpoint Management Server) exposes sensitive information to network-positioned attackers across FortiClientEMS 7.2 (all listed builds up to 7.2.14), 7.4.0–7.4.1, and 7.4.3–7.4.5. Because the client fails to properly verify server certificates (CWE-295), an attacker able to intercept EMS communications can decrypt or observe protected traffic to disclose information. There is no public exploit identified at time of analysis and CISA SSVC scores exploitation as 'none', but Fortinet rates the flaw CVSS 9.8, so patching should be prioritized despite the lack of observed exploitation.
Remote code execution affects the Lorex 2K Indoor Wi-Fi Security Camera through improper TLS certificate validation in its device management server, allowing a network-adjacent attacker to impersonate the management server and, when chained with additional flaws, run code as root without any user interaction. The issue was reported through Trend Micro's Zero Day Initiative (ZDI-26-399, formerly ZDI-CAN-26851). There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Man-in-the-middle code injection in DIRAC's grid pilot bootstrap affects the DIRACGrid Python distributed-computing framework, where the PilotWrapper explicitly disables TLS certificate validation when fetching the second-stage pilot.tar. Because both the payload and its reference checksum traverse the same unverified HTTPS channel, an attacker positioned on the grid site's network can substitute arbitrary code that runs in the pilot context with access to its proxy/credentials. No public exploit identified at time of analysis; exploitation requires an active network intercept, which the vendor notes is non-trivial, but the CVSS is 8.1 due to full CIA impact.
Man-in-the-middle interception and traffic manipulation in the EVbee Service Android app (v1.4.101.00) is possible because the app negotiates HTTPS but never validates the server's TLS certificate, and further protects payloads only with RC4 under a hardcoded key. An attacker positioned on the network path can decrypt and alter app-to-server traffic and harvest charging-station access codes. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is trivially reproducible with standard interception tooling.
TLS certificate verification bypass in Kuma's kuma-dp data plane allows an on-path attacker to intercept the dataplane authentication token and inject a forged bootstrap configuration, effectively taking over the proxy. Affected deployments are Universal mode installations where operators start kuma-dp against an HTTPS control plane without supplying a CA certificate via --ca-cert-file or the KUMA_CONTROL_PLANE_CA_CERT environment variable. Standard Kubernetes installations using kumactl or the official Helm chart are not affected because the mutating admission webhook automatically injects the CA certificate. No public exploit or CISA KEV listing is present at time of analysis; patch releases are available across all supported branches.
TLS certificate verification bypass in Kuma's kumactl CLI tool allows network-adjacent attackers to intercept API tokens via man-in-the-middle attack. When an operator adds an HTTPS control plane profile without supplying --ca-cert-file, kumactl silently disables TLS verification (InsecureSkipVerify=true) and transmits API tokens over the unverified connection. A successful intercept grants the attacker the ability to impersonate the operator and issue privileged commands to the control plane. No public exploit identified at time of analysis; vendor-released patches are available.
Missing SSH host key verification in Dulwich's paramiko vendor module exposes SSH connections to man-in-the-middle interception. The contrib/paramiko_vendor.py module used paramiko's MissingHostKeyPolicy, which silently accepts any server host key without checking it against known_hosts, allowing a network-positioned attacker to impersonate a legitimate SSH Git server. No public exploit has been identified at time of analysis and EPSS sits at 0.14% (4th percentile), but the attack is conceptually straightforward for any attacker with network access between client and server.
Improper certificate validation in Windows Cryptographic Services allows an unauthorized attacker to bypass a security feature over a network.
Privilege escalation in Microsoft's Azure Monitor Agent (specifically the Metrics Extension) lets an unauthenticated attacker on an adjacent network gain elevated privileges by exploiting improper TLS certificate validation (CWE-295). Because the agent fails to properly verify the certificate of the endpoint it communicates with, an attacker positioned on the same broadcast/logical network segment can impersonate a trusted server and hijack the agent's privileged context, yielding high confidentiality, integrity, and availability impact. Microsoft rates it CVSS 8.8; there is currently no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Active Directory certificate-validation path lets an already-authenticated attacker on Windows 10 (1607/1809) and Windows Server 2016 through 2025 (including Server Core) improperly validate a certificate to gain higher privileges. Microsoft reported and patched the flaw (CWE-295), but there is no public exploit identified at time of analysis and it is not on CISA KEV. The CVSS 7.8 vector (AV:L/PR:L) confirms an authenticated local attacker with full confidentiality, integrity, and availability impact upon success.
Improper TLS certificate validation in Fortinet FortiClientEMS (Endpoint Management Server) exposes sensitive information to network-positioned attackers across FortiClientEMS 7.2 (all listed builds up to 7.2.14), 7.4.0–7.4.1, and 7.4.3–7.4.5. Because the client fails to properly verify server certificates (CWE-295), an attacker able to intercept EMS communications can decrypt or observe protected traffic to disclose information. There is no public exploit identified at time of analysis and CISA SSVC scores exploitation as 'none', but Fortinet rates the flaw CVSS 9.8, so patching should be prioritized despite the lack of observed exploitation.
Remote code execution affects the Lorex 2K Indoor Wi-Fi Security Camera through improper TLS certificate validation in its device management server, allowing a network-adjacent attacker to impersonate the management server and, when chained with additional flaws, run code as root without any user interaction. The issue was reported through Trend Micro's Zero Day Initiative (ZDI-26-399, formerly ZDI-CAN-26851). There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Man-in-the-middle code injection in DIRAC's grid pilot bootstrap affects the DIRACGrid Python distributed-computing framework, where the PilotWrapper explicitly disables TLS certificate validation when fetching the second-stage pilot.tar. Because both the payload and its reference checksum traverse the same unverified HTTPS channel, an attacker positioned on the grid site's network can substitute arbitrary code that runs in the pilot context with access to its proxy/credentials. No public exploit identified at time of analysis; exploitation requires an active network intercept, which the vendor notes is non-trivial, but the CVSS is 8.1 due to full CIA impact.
Man-in-the-middle interception and traffic manipulation in the EVbee Service Android app (v1.4.101.00) is possible because the app negotiates HTTPS but never validates the server's TLS certificate, and further protects payloads only with RC4 under a hardcoded key. An attacker positioned on the network path can decrypt and alter app-to-server traffic and harvest charging-station access codes. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is trivially reproducible with standard interception tooling.