CWE-923
Improper Restriction of Communication Channel to Intended Endpoints
Monthly
Arbitrary file operations in ASUS Aura Wallpaper Service allow a low-privileged local user to send crafted commands that carry an attacker-controlled file path, bypassing the service's intended path restrictions and abusing its higher-privileged context. Because the service exposes a communication channel that fails to properly restrict callers or validate file names (CWE-923), a local user can read, write, or manipulate files outside the intended scope, with high impact to confidentiality, integrity, and availability; on certain ASUS models exploitation can also render a single feature unavailable. No public exploit is identified at time of analysis, and it is not listed in CISA KEV, but the CVSS 4.0 base score of 8.5 (High) reflects meaningful impact despite the local vector and high attack complexity.
Privilege escalation in Fortinet FortiSIEM Windows Agent 7.4.0 through 7.4.1 stems from an improper restriction of the agent's communication channel (CWE-923), letting an adjacent-network attacker interact with an endpoint that should be limited to trusted parties and thereby gain elevated privileges with full confidentiality, integrity, and availability impact. The flaw was disclosed by Fortinet PSIRT (FG-IR-26-155) and carries a CVSS 7.5 rating; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation is gated by high attack complexity, which materially reduces real-world likelihood despite the unauthenticated vector.
License exhaustion in Juniper Networks Junos OS Evolved lets an unauthenticated, network-based attacker reach the device's license-management process, which was intended to be internal-only but is exposed on an open network port due to incorrect initialization. All Junos OS Evolved releases before 23.2R2-EVO are affected. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and lack of authentication make it a credible network-facing denial-of-service risk to affected routing/switching platforms.
Junos OS Evolved exposes an internal communication process to the network via an unintended open port due to incorrect initialization, enabling unauthenticated remote attackers to interact with a service never designed for external access. Affected Juniper devices suffer limited information disclosure and elevated CPU consumption as the misbound process handles unsolicited ingress packets - a soft availability degradation rather than a crash. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated network vector across a broad version range warrants prompt patching on internet-facing routing infrastructure.
X11 forwarding session hijacking in OpenSSH enables a local unprivileged attacker sharing a Linux client host to intercept and partially manipulate the victim's forwarded X11 display traffic by squatting on the predictable abstract UNIX domain socket name before the SSH client creates it. Affected deployments span OpenSSH packages across Red Hat Enterprise Linux 6 through 10, Red Hat Hardened Images, and OpenShift Container Platform 4. No public exploit code has been identified at time of analysis, but successful exploitation yields high-confidence access to sensitive X11 session data including keystrokes, window contents, and clipboard material.
DNS covert-channel exfiltration in Docker Sandboxes (sbx) prior to v0.33.0 allows untrusted workloads executing inside internet-connected sandboxes to bypass the configured HTTP/S-only egress allowlist by encoding data into DNS subdomain labels. The per-network embedded DNS resolver forwards all queried names to the host resolver without consulting egress policy, undermining the core isolation guarantee that sbx provides for AI agent workloads. No public exploit has been identified at time of analysis, but the CVSS 4.0 vector assigns high confidentiality impact (VC:H), consistent with the ability to exfiltrate arbitrary in-sandbox data - including API keys, environment variables, and workspace secrets - to an attacker-controlled authoritative DNS server.
IBM watsonx.data (IBM Lakehouse) versions 2.2 through 2.3.1 fails to properly restrict inbound and outbound network connections, enabling authenticated low-privilege attackers to transfer or modify files without appropriate authorization controls. The vulnerability carries a CVSS score of 5.4 with network reachability and low attack complexity, though EPSS probability sits at just 0.02% (7th percentile) and SSVC assessment confirms no active exploitation. No public exploit code has been identified at time of analysis, and a vendor-released patch is available via IBM's support portal.
Route Services in Cloud Foundry Routing Release v0.118.0-v0.371.0 and CF Deployment v0.0.2-v54.14.0 allow authenticated malicious developers to bypass application egress rules by configuring route-services that redirect traffic to internal network destinations otherwise unreachable from external networks or the application itself. This affects the scope of the routing infrastructure, enabling information disclosure and potential lateral movement within the Gorouter network.
IBM watsonx.data versions 2.2 through 2.3 fail to enforce proper network segmentation between Kubernetes pods in the Lakehouse component, allowing attackers with network access to the cluster to transfer data between pods without authentication or authorization controls. This integrity vulnerability has a moderate CVSS score of 5.3 and requires adjacent network access and specific configuration conditions to exploit.
Unauthenticated network access to Home Assistant apps bypasses intended Docker isolation on Linux systems, exposing internal services to any device on the local network. Apps configured with host network mode inadvertently bind internal Docker bridge endpoints to the broader LAN without authentication controls, enabling unauthorized access with high confidentiality, integrity, and availability impact (CVSS 9.6). Vendor-released patch available in Home Assistant Supervisor 2026.03.02. No public exploit identified at time of analysis, though exploitation requires only adjacent network access with low attack complexity.
Arbitrary file operations in ASUS Aura Wallpaper Service allow a low-privileged local user to send crafted commands that carry an attacker-controlled file path, bypassing the service's intended path restrictions and abusing its higher-privileged context. Because the service exposes a communication channel that fails to properly restrict callers or validate file names (CWE-923), a local user can read, write, or manipulate files outside the intended scope, with high impact to confidentiality, integrity, and availability; on certain ASUS models exploitation can also render a single feature unavailable. No public exploit is identified at time of analysis, and it is not listed in CISA KEV, but the CVSS 4.0 base score of 8.5 (High) reflects meaningful impact despite the local vector and high attack complexity.
Privilege escalation in Fortinet FortiSIEM Windows Agent 7.4.0 through 7.4.1 stems from an improper restriction of the agent's communication channel (CWE-923), letting an adjacent-network attacker interact with an endpoint that should be limited to trusted parties and thereby gain elevated privileges with full confidentiality, integrity, and availability impact. The flaw was disclosed by Fortinet PSIRT (FG-IR-26-155) and carries a CVSS 7.5 rating; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation is gated by high attack complexity, which materially reduces real-world likelihood despite the unauthenticated vector.
License exhaustion in Juniper Networks Junos OS Evolved lets an unauthenticated, network-based attacker reach the device's license-management process, which was intended to be internal-only but is exposed on an open network port due to incorrect initialization. All Junos OS Evolved releases before 23.2R2-EVO are affected. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and lack of authentication make it a credible network-facing denial-of-service risk to affected routing/switching platforms.
Junos OS Evolved exposes an internal communication process to the network via an unintended open port due to incorrect initialization, enabling unauthenticated remote attackers to interact with a service never designed for external access. Affected Juniper devices suffer limited information disclosure and elevated CPU consumption as the misbound process handles unsolicited ingress packets - a soft availability degradation rather than a crash. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated network vector across a broad version range warrants prompt patching on internet-facing routing infrastructure.
X11 forwarding session hijacking in OpenSSH enables a local unprivileged attacker sharing a Linux client host to intercept and partially manipulate the victim's forwarded X11 display traffic by squatting on the predictable abstract UNIX domain socket name before the SSH client creates it. Affected deployments span OpenSSH packages across Red Hat Enterprise Linux 6 through 10, Red Hat Hardened Images, and OpenShift Container Platform 4. No public exploit code has been identified at time of analysis, but successful exploitation yields high-confidence access to sensitive X11 session data including keystrokes, window contents, and clipboard material.
DNS covert-channel exfiltration in Docker Sandboxes (sbx) prior to v0.33.0 allows untrusted workloads executing inside internet-connected sandboxes to bypass the configured HTTP/S-only egress allowlist by encoding data into DNS subdomain labels. The per-network embedded DNS resolver forwards all queried names to the host resolver without consulting egress policy, undermining the core isolation guarantee that sbx provides for AI agent workloads. No public exploit has been identified at time of analysis, but the CVSS 4.0 vector assigns high confidentiality impact (VC:H), consistent with the ability to exfiltrate arbitrary in-sandbox data - including API keys, environment variables, and workspace secrets - to an attacker-controlled authoritative DNS server.
IBM watsonx.data (IBM Lakehouse) versions 2.2 through 2.3.1 fails to properly restrict inbound and outbound network connections, enabling authenticated low-privilege attackers to transfer or modify files without appropriate authorization controls. The vulnerability carries a CVSS score of 5.4 with network reachability and low attack complexity, though EPSS probability sits at just 0.02% (7th percentile) and SSVC assessment confirms no active exploitation. No public exploit code has been identified at time of analysis, and a vendor-released patch is available via IBM's support portal.
Route Services in Cloud Foundry Routing Release v0.118.0-v0.371.0 and CF Deployment v0.0.2-v54.14.0 allow authenticated malicious developers to bypass application egress rules by configuring route-services that redirect traffic to internal network destinations otherwise unreachable from external networks or the application itself. This affects the scope of the routing infrastructure, enabling information disclosure and potential lateral movement within the Gorouter network.
IBM watsonx.data versions 2.2 through 2.3 fail to enforce proper network segmentation between Kubernetes pods in the Lakehouse component, allowing attackers with network access to the cluster to transfer data between pods without authentication or authorization controls. This integrity vulnerability has a moderate CVSS score of 5.3 and requires adjacent network access and specific configuration conditions to exploit.
Unauthenticated network access to Home Assistant apps bypasses intended Docker isolation on Linux systems, exposing internal services to any device on the local network. Apps configured with host network mode inadvertently bind internal Docker bridge endpoints to the broader LAN without authentication controls, enabling unauthorized access with high confidentiality, integrity, and availability impact (CVSS 9.6). Vendor-released patch available in Home Assistant Supervisor 2026.03.02. No public exploit identified at time of analysis, though exploitation requires only adjacent network access with low attack complexity.