Monthly
Gatekeeper security checks in macOS Tahoe can be bypassed using maliciously crafted ZIP archives due to a logic flaw in file handling. An attacker can create a weaponized ZIP file that, when extracted or opened by a user, circumvents Gatekeeper validation, potentially allowing execution of untrusted code. The vulnerability requires user interaction (opening or extracting the malicious archive) and is limited to local attack surface. Vendor-released patch: macOS Tahoe 26.5.
Ella Core fails to enforce 3GPP TS 33.501 §6.9.5.1 security rules, allowing concurrent NAS Security Mode Command and N2 handover procedures that produce KgNB key mismatches between UE and target gNB, causing handover failures. Exploitation requires a stalled gNB combined with a re-registration race condition. Vendor-released patch: version 1.10.0.
Malicious gNB can corrupt Ella Core's stored UE security capabilities by sending a crafted NGAP PathSwitchRequest message without validation, allowing integrity compromise of security parameters for any user equipment. The vulnerability affects Ella Core versions prior to 1.10.0 and requires access to the NGAP interface (adjacent network), but can degrade security posture by enabling capability downgrades or feature injection. No public exploit code or active exploitation has been reported.
User equipment (UE) downlink traffic can be redirected to attacker-controlled radios in Ella Core (5G AMF software) versions prior to 1.10.0. A malicious radio with a valid NG Setup connection can forge PDUSessionResourceSetupResponse messages using arbitrary AMF-UE-NGAP-IDs, causing Ella Core to create GTP tunnels that misdirect victim UE downlink packets to the attacker's radio. This enables traffic interception and denial of service against targeted UEs. The vulnerability stems from missing validation that NGAP messages arrive on the correct SCTP association for the UE context. No public exploit identified at time of analysis, and EPSS data not available. Vendor-released patch: version 1.10.0.
Free5GC Access and Mobility Function (AMF) versions up to 1.4.3 fail to enforce 3GPP TS 33.501 §6.9.5.1 concurrent security procedure rules, allowing NAS Security Mode Command (SMC) to execute simultaneously with N2 handover procedures. This causes security context mismatches between the UE and network when SMC activates a new KAMF while N2 HandoverRequest carries Next Hop (NH) and Next Hop Chaining Counter (NCC) derived from the old KAMF, resulting in different KgNB key derivation at the target gNB and UE and breaking access stratum (AS) security integrity. Source code analysis confirms missing cross-procedure validation in SecurityMode() and handleHandoverRequiredMain() functions; packet evidence demonstrates Rule 2 violation (SMC initiated during ongoing N2 handover).
Free5GC Access and Mobility Management Function (AMF) v4.2.1 and earlier fails to verify UE Security Capabilities in NGAP PathSwitchRequest messages, allowing a malicious gNB to overwrite the AMF's stored security algorithm preferences with arbitrary values. These corrupted capabilities are then propagated in PathSwitchRequestAcknowledge and subsequent HandoverRequest messages, causing all inter-gNB handovers for affected UEs to fail due to algorithm mismatches. This results in persistent handover denial-of-service until UE re-registration. The vulnerability is directly contrary to 3GPP TS 33.501 §6.7.3.1 verification requirements and has been demonstrated with a public proof-of-concept using Free5GC v4.2.1 and UERANSIM.
HCL BigFix Service Management (SM) contains a Content Security Policy (CSP) header misconfiguration that enables cross-site scripting (XSS) attacks. Authenticated users with low privileges can inject malicious scripts by exploiting insufficient CSP directives, potentially exposing sensitive information or hijacking user sessions. The vulnerability requires user interaction (UI:R) and operates in a non-global scope, limiting but not eliminating real-world risk.
HCL DFXAnalytics fails to enforce strict Content-Security-Policy (CSP) directives for object-src and base-uri, enabling attackers to inject and execute arbitrary scripts through cross-site scripting (XSS) vectors without authentication or user interaction. This network-accessible vulnerability affects all versions and results in information disclosure with a CVSS score of 5.3; no active exploitation has been reported.
Insecure HTTP response header configuration in Eaton Intelligent Power Protector (IPP) software enables attackers to perform web-based attacks including information disclosure and content modification. The vulnerability requires network access, unusual attack complexity, and user interaction (CVSS AV:N/AC:H/PR:N/UI:R), affecting all versions of IPP software prior to the patched release. No public exploit code or active exploitation has been identified at time of analysis.
Google Chrome prior to version 147.0.7727.55 contains an inappropriate PDF implementation that allows remote attackers to bypass navigation restrictions via a crafted HTML page. The vulnerability requires user interaction to trigger and offers low real-world risk, with an EPSS score of 0.02% (3rd percentile) indicating minimal exploitation probability despite its network-accessible attack vector. A vendor-released patch is available.
Gatekeeper security checks in macOS Tahoe can be bypassed using maliciously crafted ZIP archives due to a logic flaw in file handling. An attacker can create a weaponized ZIP file that, when extracted or opened by a user, circumvents Gatekeeper validation, potentially allowing execution of untrusted code. The vulnerability requires user interaction (opening or extracting the malicious archive) and is limited to local attack surface. Vendor-released patch: macOS Tahoe 26.5.
Ella Core fails to enforce 3GPP TS 33.501 §6.9.5.1 security rules, allowing concurrent NAS Security Mode Command and N2 handover procedures that produce KgNB key mismatches between UE and target gNB, causing handover failures. Exploitation requires a stalled gNB combined with a re-registration race condition. Vendor-released patch: version 1.10.0.
Malicious gNB can corrupt Ella Core's stored UE security capabilities by sending a crafted NGAP PathSwitchRequest message without validation, allowing integrity compromise of security parameters for any user equipment. The vulnerability affects Ella Core versions prior to 1.10.0 and requires access to the NGAP interface (adjacent network), but can degrade security posture by enabling capability downgrades or feature injection. No public exploit code or active exploitation has been reported.
User equipment (UE) downlink traffic can be redirected to attacker-controlled radios in Ella Core (5G AMF software) versions prior to 1.10.0. A malicious radio with a valid NG Setup connection can forge PDUSessionResourceSetupResponse messages using arbitrary AMF-UE-NGAP-IDs, causing Ella Core to create GTP tunnels that misdirect victim UE downlink packets to the attacker's radio. This enables traffic interception and denial of service against targeted UEs. The vulnerability stems from missing validation that NGAP messages arrive on the correct SCTP association for the UE context. No public exploit identified at time of analysis, and EPSS data not available. Vendor-released patch: version 1.10.0.
Free5GC Access and Mobility Function (AMF) versions up to 1.4.3 fail to enforce 3GPP TS 33.501 §6.9.5.1 concurrent security procedure rules, allowing NAS Security Mode Command (SMC) to execute simultaneously with N2 handover procedures. This causes security context mismatches between the UE and network when SMC activates a new KAMF while N2 HandoverRequest carries Next Hop (NH) and Next Hop Chaining Counter (NCC) derived from the old KAMF, resulting in different KgNB key derivation at the target gNB and UE and breaking access stratum (AS) security integrity. Source code analysis confirms missing cross-procedure validation in SecurityMode() and handleHandoverRequiredMain() functions; packet evidence demonstrates Rule 2 violation (SMC initiated during ongoing N2 handover).
Free5GC Access and Mobility Management Function (AMF) v4.2.1 and earlier fails to verify UE Security Capabilities in NGAP PathSwitchRequest messages, allowing a malicious gNB to overwrite the AMF's stored security algorithm preferences with arbitrary values. These corrupted capabilities are then propagated in PathSwitchRequestAcknowledge and subsequent HandoverRequest messages, causing all inter-gNB handovers for affected UEs to fail due to algorithm mismatches. This results in persistent handover denial-of-service until UE re-registration. The vulnerability is directly contrary to 3GPP TS 33.501 §6.7.3.1 verification requirements and has been demonstrated with a public proof-of-concept using Free5GC v4.2.1 and UERANSIM.
HCL BigFix Service Management (SM) contains a Content Security Policy (CSP) header misconfiguration that enables cross-site scripting (XSS) attacks. Authenticated users with low privileges can inject malicious scripts by exploiting insufficient CSP directives, potentially exposing sensitive information or hijacking user sessions. The vulnerability requires user interaction (UI:R) and operates in a non-global scope, limiting but not eliminating real-world risk.
HCL DFXAnalytics fails to enforce strict Content-Security-Policy (CSP) directives for object-src and base-uri, enabling attackers to inject and execute arbitrary scripts through cross-site scripting (XSS) vectors without authentication or user interaction. This network-accessible vulnerability affects all versions and results in information disclosure with a CVSS score of 5.3; no active exploitation has been reported.
Insecure HTTP response header configuration in Eaton Intelligent Power Protector (IPP) software enables attackers to perform web-based attacks including information disclosure and content modification. The vulnerability requires network access, unusual attack complexity, and user interaction (CVSS AV:N/AC:H/PR:N/UI:R), affecting all versions of IPP software prior to the patched release. No public exploit code or active exploitation has been identified at time of analysis.
Google Chrome prior to version 147.0.7727.55 contains an inappropriate PDF implementation that allows remote attackers to bypass navigation restrictions via a crafted HTML page. The vulnerability requires user interaction to trigger and offers low real-world risk, with an EPSS score of 0.02% (3rd percentile) indicating minimal exploitation probability despite its network-accessible attack vector. A vendor-released patch is available.