Monthly
Weak password policy enforcement in Quantum Networks router QN-I-470 version 6.1.1.B1 enables adjacent network attackers to gain unauthorized administrative access through password brute-force attacks. CVSS 7.6 reflects adjacent network requirement (AV:A) and high complexity (AC:H), limiting exploitation to attackers already on the local network segment. No active exploitation confirmed (not in CISA KEV), but authentication bypass via brute-force is a well-understood attack primitive requiring only network proximity and time.
Brute force password attacks against Horner Automation XL4/XL7 PLCs and Cscape software allow remote unauthenticated attackers to gain unauthorized administrative access via network connections. Weak password policies (limited complexity requirements) combined with absent rate limiting enable systematic credential enumeration. CVSS 9.1 (Critical) reflects network-accessible attack with no authentication required. CISA ICS-CERT advisory confirms vulnerability in operational technology environments where PLCs control industrial processes.
Juniper Networks CTP OS 9.2R1 and 9.2R2 fail to persist password complexity settings, enabling unauthenticated attackers to exploit predictable weak passwords on local accounts. The password management function allows administrators to configure complexity requirements but does not save these configurations, verifiable through 'Show password requirements' menu. This defect permits trivial passwords that attackers can brute-force remotely to gain full device control. No public exploit identified at time of analysis.
Nautobot REST API user creation and modification endpoints bypass Django's configured password validation rules, allowing authenticated administrators to set or modify user passwords that fail to meet organizational security standards. Versions prior to 2.4.30 and 3.0.10 are affected; an authenticated admin with high privileges can create accounts with weak passwords despite configured AUTH_PASSWORD_VALIDATORS rules. CVSS score is 2.7 (low severity) due to requirement for authenticated administrative access; however, organizations with strict password policies relying on Nautobot's config-driven enforcement face integrity risk.
HCL Aftermarket DPC version 1.0.0 enforces weak password policies that enable attackers to conduct brute-force attacks and guess user credentials, potentially gaining unauthorized account access with low confidentiality and availability impact. The vulnerability requires user interaction and high attack complexity to exploit, but affects unauthenticated threat actors over the network. No public exploit code or active exploitation has been identified at the time of analysis.
Weak password policy in Vikunja task management before 2.0.0 allows users to set trivially guessable passwords. PoC available.
Blank admin credentials allowed in device web management. Admin can set empty password, making device fully accessible.
777Vr1 Firmware versions up to 01.00.09 contains a vulnerability that allows attackers to weak password requirements (CVSS 2.0).
Aion versions up to 2.0 contains a vulnerability that allows attackers to the use of easily guessable passwords, potentially resulting in unauthorized acc (CVSS 3.1).
Man-in-the-middle attack vulnerability in the Clone module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. [CVSS 5.7 MEDIUM]
Weak password policy enforcement in Quantum Networks router QN-I-470 version 6.1.1.B1 enables adjacent network attackers to gain unauthorized administrative access through password brute-force attacks. CVSS 7.6 reflects adjacent network requirement (AV:A) and high complexity (AC:H), limiting exploitation to attackers already on the local network segment. No active exploitation confirmed (not in CISA KEV), but authentication bypass via brute-force is a well-understood attack primitive requiring only network proximity and time.
Brute force password attacks against Horner Automation XL4/XL7 PLCs and Cscape software allow remote unauthenticated attackers to gain unauthorized administrative access via network connections. Weak password policies (limited complexity requirements) combined with absent rate limiting enable systematic credential enumeration. CVSS 9.1 (Critical) reflects network-accessible attack with no authentication required. CISA ICS-CERT advisory confirms vulnerability in operational technology environments where PLCs control industrial processes.
Juniper Networks CTP OS 9.2R1 and 9.2R2 fail to persist password complexity settings, enabling unauthenticated attackers to exploit predictable weak passwords on local accounts. The password management function allows administrators to configure complexity requirements but does not save these configurations, verifiable through 'Show password requirements' menu. This defect permits trivial passwords that attackers can brute-force remotely to gain full device control. No public exploit identified at time of analysis.
Nautobot REST API user creation and modification endpoints bypass Django's configured password validation rules, allowing authenticated administrators to set or modify user passwords that fail to meet organizational security standards. Versions prior to 2.4.30 and 3.0.10 are affected; an authenticated admin with high privileges can create accounts with weak passwords despite configured AUTH_PASSWORD_VALIDATORS rules. CVSS score is 2.7 (low severity) due to requirement for authenticated administrative access; however, organizations with strict password policies relying on Nautobot's config-driven enforcement face integrity risk.
HCL Aftermarket DPC version 1.0.0 enforces weak password policies that enable attackers to conduct brute-force attacks and guess user credentials, potentially gaining unauthorized account access with low confidentiality and availability impact. The vulnerability requires user interaction and high attack complexity to exploit, but affects unauthenticated threat actors over the network. No public exploit code or active exploitation has been identified at the time of analysis.
Weak password policy in Vikunja task management before 2.0.0 allows users to set trivially guessable passwords. PoC available.
Blank admin credentials allowed in device web management. Admin can set empty password, making device fully accessible.
777Vr1 Firmware versions up to 01.00.09 contains a vulnerability that allows attackers to weak password requirements (CVSS 2.0).
Aion versions up to 2.0 contains a vulnerability that allows attackers to the use of easily guessable passwords, potentially resulting in unauthorized acc (CVSS 3.1).
Man-in-the-middle attack vulnerability in the Clone module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. [CVSS 5.7 MEDIUM]