Skip to main content

CWE-924

Improper Enforcement of Message Integrity During Transmission

23 CVEs Avg CVSS 7.1 MITRE
2
CRITICAL
11
HIGH
9
MEDIUM
1
LOW
6
POC
0
KEV

Monthly

CVE-2026-54891 MEDIUM PATCH This Month

Blind plaintext injection into Erlang/OTP TLS clients allows a network-positioned attacker to insert unauthenticated APPLICATION_DATA records during the handshake that the application subsequently receives as authenticated post-handshake server data. The root asymmetry is in tls_gen_connection:handle_protocol_record/3, which correctly rejects pre-handshake APPLICATION_DATA for TLS server endpoints but omits the equivalent guard for client endpoints, enabling record buffering prior to authentication. No active exploitation has been confirmed (not in CISA KEV, no POC referenced), but the network-only attack requirement and breadth of affected OTP versions - spanning OTP 17.0 through current - make patching urgent for Erlang-based services that consume TLS client data in untrusted network environments.

Code Injection Otp
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-12576 HIGH This Week

Denial of service in Delta Electronics DVP80ES3 programmable logic controllers arises from a failure to enforce message integrity on a communication channel (CWE-924), allowing remote, unauthenticated attackers to inject or tamper with protocol messages and disrupt device availability. Per the vendor CVSS vector (AV:N/AC:L/PR:N/UI:N/C:N/I:N/A:H), the confirmed impact is loss of availability of this industrial controller with no privileges or user interaction required. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the network-reachable, no-auth profile of an ICS device makes it operationally significant.

Information Disclosure Dvp80Es3
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2019-25719 HIGH This Week

Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors running software versions VG4.1.1, VG4.0.3, and lower contain network message handling vulnerabilities that allow. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-39827 Go MEDIUM POC PATCH GHSA This Month

Unbounded memory growth in the golang.org/x/crypto/ssh package allows an authenticated remote attacker to crash the SSH server process by repeatedly opening channels that the server rejects. All versions of golang.org/x/crypto/ssh prior to 0.52.0 are affected, and a successful attack disrupts service for every user connected to that server instance. No public exploit has been identified at time of analysis, and EPSS probability sits at 0.02% (5th percentile), though the authentication barrier is low and the availability impact affects all concurrent sessions.

Denial Of Service Golang Org X Crypto Ssh
NVD VulDB GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-0592 HIGH This Week

The vulnerability may allow a remote low priviledged attacker to run arbitrary shell commands by manipulating the firmware file and uploading it to the device. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2024-12399 MEDIUM This Month

exists that could cause partial loss of confidentiality, loss of integrity and availability of the HMI when attacker performs man in the middle attack by intercepting the communication. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
6.1
EPSS
0.2%
CVE-2024-8933 HIGH This Week

vulnerability exists that could cause retrieval of password hash that could lead to denial of service and loss of confidentiality and integrity of controllers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Denial Of Service
NVD
CVSS 4.0
7.5
EPSS
0.3%
CVE-2024-43450 HIGH PATCH This Week

Windows DNS Spoofing Vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Microsoft Windows Server 2008 Windows Server 2012 Windows Server 2016 +4
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-52288 PyPI MEDIUM PATCH This Month

libosdp is an implementation of IEC 60839-11-5 OSDP (Open Supervised Device Protocol) and provides a C library with support for C++, Rust and Python3. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required. No vendor patch available.

Information Disclosure
NVD GitHub
CVSS 3.1
5.1
EPSS
0.1%
CVE-2024-44730 CRITICAL Act Now

Incorrect access control in the function handleDataChannelChat(dataMessage) of Mirotalk before commit c21d58 allows attackers to forge chat messages using an arbitrary sender name. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD GitHub
CVSS 3.1
9.1
EPSS
0.4%
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Blind plaintext injection into Erlang/OTP TLS clients allows a network-positioned attacker to insert unauthenticated APPLICATION_DATA records during the handshake that the application subsequently receives as authenticated post-handshake server data. The root asymmetry is in tls_gen_connection:handle_protocol_record/3, which correctly rejects pre-handshake APPLICATION_DATA for TLS server endpoints but omits the equivalent guard for client endpoints, enabling record buffering prior to authentication. No active exploitation has been confirmed (not in CISA KEV, no POC referenced), but the network-only attack requirement and breadth of affected OTP versions - spanning OTP 17.0 through current - make patching urgent for Erlang-based services that consume TLS client data in untrusted network environments.

Code Injection Otp
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in Delta Electronics DVP80ES3 programmable logic controllers arises from a failure to enforce message integrity on a communication channel (CWE-924), allowing remote, unauthenticated attackers to inject or tamper with protocol messages and disrupt device availability. Per the vendor CVSS vector (AV:N/AC:L/PR:N/UI:N/C:N/I:N/A:H), the confirmed impact is loss of availability of this industrial controller with no privileges or user interaction required. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the network-reachable, no-auth profile of an ICS device makes it operationally significant.

Information Disclosure Dvp80Es3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors running software versions VG4.1.1, VG4.0.3, and lower contain network message handling vulnerabilities that allow. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Unbounded memory growth in the golang.org/x/crypto/ssh package allows an authenticated remote attacker to crash the SSH server process by repeatedly opening channels that the server rejects. All versions of golang.org/x/crypto/ssh prior to 0.52.0 are affected, and a successful attack disrupts service for every user connected to that server instance. No public exploit has been identified at time of analysis, and EPSS probability sits at 0.02% (5th percentile), though the authentication barrier is low and the availability impact affects all concurrent sessions.

Denial Of Service Golang Org X Crypto Ssh
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH This Week

The vulnerability may allow a remote low priviledged attacker to run arbitrary shell commands by manipulating the firmware file and uploading it to the device. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

exists that could cause partial loss of confidentiality, loss of integrity and availability of the HMI when attacker performs man in the middle attack by intercepting the communication. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

vulnerability exists that could cause retrieval of password hash that could lead to denial of service and loss of confidentiality and integrity of controllers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Denial Of Service
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Windows DNS Spoofing Vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Microsoft Windows Server 2008 +6
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

libosdp is an implementation of IEC 60839-11-5 OSDP (Open Supervised Device Protocol) and provides a C library with support for C++, Rust and Python3. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required. No vendor patch available.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

Incorrect access control in the function handleDataChannelChat(dataMessage) of Mirotalk before commit c21d58 allows attackers to forge chat messages using an arbitrary sender name. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy