IoT
Monthly
Remote authentication bypass in GL.iNet GL-RM1, GL-RM10, GL-RM10RC, and GL-RM1PE versions up to 1.8.1 allows authenticated remote attackers with high privileges to manipulate the Factory Reset Handler component, resulting in improper authentication controls. The vulnerability requires high attack complexity and is difficult to exploit but enables unauthorized access to sensitive device functionality. A vendor-released patch addressing this issue is available in version 1.8.2.
Stack-based buffer overflow in PX4 autopilot versions 1.17.0-rc2 and below allows attackers with MAVLink link access to crash the flight controller by exploiting an unconstrained sscanf operation in the MavlinkLogHandler. An attacker can trigger this by creating deeply nested directories via MAVLink FTP and then requesting the log list, causing the MAVLink task to crash and resulting in loss of telemetry and command capability. This denial of service affects drone and unmanned vehicle systems relying on vulnerable PX4 versions.
The WiFi Extender WDR201A (hardware version 2.1, firmware LFMZX28040922V1.02) contains an unprotected UART interface exposed through accessible PCB pads, allowing information disclosure through direct hardware access. An attacker with physical access to the device can connect to the UART pins to read sensitive data, firmware contents, or configuration information without authentication. No CVSS score, EPSS metric, or KEV status is currently available, but a proof-of-concept and detailed security research have been published, confirming the vulnerability's practical exploitability.
Stack buffer overflow in RIOT OS coap_well_known_core_default_handler allows unauthenticated remote attackers to overwrite critical stack data including return addresses through oversized CoAP option responses. Affected IoT devices running RIOT 2026.01 and earlier are vulnerable to denial of service or arbitrary code execution without any user interaction required. No patch is currently available for this vulnerability.
Azure IoT Explorer fails to properly restrict communication to intended endpoints, enabling unauthenticated attackers to intercept and disclose sensitive information over the network. The vulnerability requires no user interaction and can be exploited remotely with a CVSS score of 7.5. A patch is available for affected Azure IoT products.
Azure IoT Explorer fails to enforce authentication on a critical function, enabling unauthenticated network attackers to remotely access and exfiltrate sensitive information. This high-severity vulnerability (CVSS 7.5) affects Azure IoT deployments and requires immediate patching to prevent unauthorized disclosure of IoT configuration and operational data. A patch is available.
Sensitive data transmission over cleartext in Azure IoT Explorer enables network-based attackers to intercept and disclose confidential information without authentication. This vulnerability affects Azure IoT deployments and could expose device credentials, configuration details, or other sensitive metadata to passive network observers. A patch is available to remediate the cleartext transmission issue.
Plaintext daemon credentials in IDC SFX2100 routing config files (zebra, bgpd, ospfd, ripd). CVSS 10.0. PoC available.
Hardcoded credentials extractable through API responses and mobile app reverse engineering in an enterprise application. Administrative credentials are exposed in multiple channels.
A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in a memory leak from the program's memory. [CVSS 3.7 LOW]
EnOcean SmartServer IoT versions 4.60.009 and earlier are vulnerable to unauthenticated remote command injection through maliciously crafted LON IP-852 management messages, enabling attackers to execute arbitrary OS commands with high privileges on affected devices. This network-accessible vulnerability requires no user interaction and affects IoT deployments with no available patch currently available.
MajorDoMo's unauthenticated /objects/?op=set endpoint fails to sanitize property values, allowing remote attackers to inject stored XSS payloads that execute when administrators access the property editor, with public exploit code available. The vulnerability is compounded by session cookies lacking HttpOnly protection, enabling attackers to enumerate properties via the /api.php/data/ endpoint and hijack admin sessions through JavaScript exfiltration.
Azure IoT Explorer binds to unrestricted IP addresses, enabling unauthenticated remote attackers to intercept and disclose sensitive information over the network. This vulnerability affects Azure IoT deployments where the Explorer tool is exposed without proper network segmentation. No patch is currently available, making network isolation the primary mitigation strategy.
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. [CVSS 6.3 MEDIUM]
Out-of-bounds read in ESP-IDF versions 5.1.6 through 5.5.2 allows remote attackers to trigger memory corruption via malformed BLE prepare-write requests during device provisioning mode. An unauthenticated BLE client can exploit improper length tracking in the protocomm_ble transport to cause the provisioning handler to read beyond allocated buffer boundaries. This results in potential information disclosure and denial of service for affected IoT devices.
Espressif IoT Development Framework versions 5.1.6-5.5.2 contain a use-after-free vulnerability in the BLE provisioning layer that allows remote attackers to trigger memory corruption when provisioning is stopped with keep_ble_on enabled. A connected BLE client can exploit freed GATT metadata through read/write callbacks to cause denial of service or potential code execution. Patches are available for all affected versions.
RIOT IoT operating system has an out-of-bounds read vulnerability (CVSS 9.1) that could lead to information disclosure or crashes on IoT devices.
Synectix LAN 232 TRIO serial-to-ethernet adapter exposes its web management interface without authentication (CVSS 10.0), enabling unauthenticated control of serial devices.
Kede Electronics IoT smart water meter monitoring platform v1.0 has a SQL injection allowing attackers to compromise the industrial monitoring database.
An API authentication bypass allows unauthenticated attackers to impersonate legitimate users. Maximum CVSS 10.0 with scope change. Requires knowledge of a legitimate user's identity.
RIOT OS ethos utility has a stack buffer overflow in _handle_char() due to missing bounds checking on serial frame data. Incoming frame bytes overflow a fixed-size stack buffer.
RIOT OS (IoT operating system) tapslip6 utility has a stack buffer overflow due to unbounded strcpy/strcat with user-controlled device name input. PoC available.
The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the configuration disables SCP and pseudo-TTY allocation, an attacker can authenticate using the hardcoded credentials and establish SSH local port forwarding to access the Docker socket. By mounting the host filesystem via Docker, an attacker can...
The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compr...
Command injection via the hostname field allowing authenticated code execution with maximum CVSS 10.0 and scope change.
Missing authentication on the HTTPS connectAP interface in TP-Link Tapo C200 V3 firmware (versions 1.3.3 through 1.4.1) allows adjacent network attackers to remotely reconfigure device Wi-Fi settings, causing permanent denial-of-service until manual intervention. The vulnerability exploits CWE-306 (Missing Authentication for Critical Function) with CVSS 8.7 severity, requiring only adjacent network access with low attack complexity and no user interaction. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the technical barrier is minimal for LAN-positioned adversaries.
CVE-2025-7503 is a security vulnerability (CVSS 10.0). Critical severity with potential for significant impact on affected systems.
CVE-2025-1727 is a critical vulnerability in RF-based remote linking protocols used for End-of-Train (EoT) and Head-of-Train (HoT/FRED) devices in railway operations. The vulnerability exploits a weak BCH checksum implementation that allows attackers to forge brake control commands using software-defined radios (SDR), potentially disrupting train operations or overwhelming brake systems. This affects railway infrastructure globally, with a CVSS score of 8.1 indicating high severity; active exploitation status and proof-of-concept availability are critical factors that determine immediate priority despite the attack requiring physical/adjacent network proximity.
CVE-2025-48890 is a critical OS command injection vulnerability in the miniigd SOAP service affecting WRH-733GBK and WRH-733GWH network storage devices. Remote unauthenticated attackers can execute arbitrary OS commands by sending specially crafted requests, achieving complete system compromise (CVSS 9.8). With an attack vector of Network/Low complexity/No privileges required, this vulnerability poses immediate risk to exposed devices.
CVE-2025-48466 is a security vulnerability (CVSS 8.1). Risk factors: public PoC available.
CVE-2025-34023 is a path traversal vulnerability in Karel IP1211 IP Phone's web management panel that allows remote authenticated attackers to read arbitrary files from the underlying system via unsanitized input to the /cgi-bin/cgiServer.exx endpoint's page parameter. This vulnerability affects IP phone administrators with network access to the management interface and carries a CVSS 8.5 score reflecting high confidentiality impact. Active exploitation evidence was documented by Shadowserver Foundation on 2025-02-02 UTC, indicating real-world attack activity.
A remote code execution vulnerability in versions from 2.5.0 to (CVSS 8.3). High severity vulnerability requiring prompt remediation. Vendor patch is available.
A command injection vulnerability (CVSS 9.8). Risk factors: public PoC available.
A buffer overflow vulnerability in A vulnerability classified as critical (CVSS 8.8). Risk factors: public PoC available.
Critical remote code execution vulnerability in WOLFBOX Level 2 EV Charger devices that exploits an exposed dangerous method in the Tuya communications module, allowing network-adjacent attackers to upload and execute arbitrary code despite authentication requirements. The authentication bypass mechanism combined with the exposed software upload functionality creates a high-severity attack path that can grant attackers complete control over affected EV charger installations. This vulnerability (formerly ZDI-CAN-26349) presents significant risk to vehicle charging infrastructure and connected IoT deployments relying on Tuya-based communication protocols.
A remote code execution vulnerability in IDF (CVSS 8.3). High severity vulnerability requiring prompt remediation.
CVE-2018-25112 is an unauthenticated network-based Denial-of-Service vulnerability affecting IEC 61131-compliant Industrial Logic Controllers (ILCs). An attacker can exhaust device resources by flooding the controller with crafted network traffic, rendering it unresponsive. With a CVSS score of 7.5 (High severity), no authentication required, and network-accessible attack surface, this poses significant risk to industrial control systems; however, exploitation likelihood depends on network exposure and whether patches are available from affected vendors.
Remote authentication bypass in GL.iNet GL-RM1, GL-RM10, GL-RM10RC, and GL-RM1PE versions up to 1.8.1 allows authenticated remote attackers with high privileges to manipulate the Factory Reset Handler component, resulting in improper authentication controls. The vulnerability requires high attack complexity and is difficult to exploit but enables unauthorized access to sensitive device functionality. A vendor-released patch addressing this issue is available in version 1.8.2.
Stack-based buffer overflow in PX4 autopilot versions 1.17.0-rc2 and below allows attackers with MAVLink link access to crash the flight controller by exploiting an unconstrained sscanf operation in the MavlinkLogHandler. An attacker can trigger this by creating deeply nested directories via MAVLink FTP and then requesting the log list, causing the MAVLink task to crash and resulting in loss of telemetry and command capability. This denial of service affects drone and unmanned vehicle systems relying on vulnerable PX4 versions.
The WiFi Extender WDR201A (hardware version 2.1, firmware LFMZX28040922V1.02) contains an unprotected UART interface exposed through accessible PCB pads, allowing information disclosure through direct hardware access. An attacker with physical access to the device can connect to the UART pins to read sensitive data, firmware contents, or configuration information without authentication. No CVSS score, EPSS metric, or KEV status is currently available, but a proof-of-concept and detailed security research have been published, confirming the vulnerability's practical exploitability.
Stack buffer overflow in RIOT OS coap_well_known_core_default_handler allows unauthenticated remote attackers to overwrite critical stack data including return addresses through oversized CoAP option responses. Affected IoT devices running RIOT 2026.01 and earlier are vulnerable to denial of service or arbitrary code execution without any user interaction required. No patch is currently available for this vulnerability.
Azure IoT Explorer fails to properly restrict communication to intended endpoints, enabling unauthenticated attackers to intercept and disclose sensitive information over the network. The vulnerability requires no user interaction and can be exploited remotely with a CVSS score of 7.5. A patch is available for affected Azure IoT products.
Azure IoT Explorer fails to enforce authentication on a critical function, enabling unauthenticated network attackers to remotely access and exfiltrate sensitive information. This high-severity vulnerability (CVSS 7.5) affects Azure IoT deployments and requires immediate patching to prevent unauthorized disclosure of IoT configuration and operational data. A patch is available.
Sensitive data transmission over cleartext in Azure IoT Explorer enables network-based attackers to intercept and disclose confidential information without authentication. This vulnerability affects Azure IoT deployments and could expose device credentials, configuration details, or other sensitive metadata to passive network observers. A patch is available to remediate the cleartext transmission issue.
Plaintext daemon credentials in IDC SFX2100 routing config files (zebra, bgpd, ospfd, ripd). CVSS 10.0. PoC available.
Hardcoded credentials extractable through API responses and mobile app reverse engineering in an enterprise application. Administrative credentials are exposed in multiple channels.
A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in a memory leak from the program's memory. [CVSS 3.7 LOW]
EnOcean SmartServer IoT versions 4.60.009 and earlier are vulnerable to unauthenticated remote command injection through maliciously crafted LON IP-852 management messages, enabling attackers to execute arbitrary OS commands with high privileges on affected devices. This network-accessible vulnerability requires no user interaction and affects IoT deployments with no available patch currently available.
MajorDoMo's unauthenticated /objects/?op=set endpoint fails to sanitize property values, allowing remote attackers to inject stored XSS payloads that execute when administrators access the property editor, with public exploit code available. The vulnerability is compounded by session cookies lacking HttpOnly protection, enabling attackers to enumerate properties via the /api.php/data/ endpoint and hijack admin sessions through JavaScript exfiltration.
Azure IoT Explorer binds to unrestricted IP addresses, enabling unauthenticated remote attackers to intercept and disclose sensitive information over the network. This vulnerability affects Azure IoT deployments where the Explorer tool is exposed without proper network segmentation. No patch is currently available, making network isolation the primary mitigation strategy.
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. [CVSS 6.3 MEDIUM]
Out-of-bounds read in ESP-IDF versions 5.1.6 through 5.5.2 allows remote attackers to trigger memory corruption via malformed BLE prepare-write requests during device provisioning mode. An unauthenticated BLE client can exploit improper length tracking in the protocomm_ble transport to cause the provisioning handler to read beyond allocated buffer boundaries. This results in potential information disclosure and denial of service for affected IoT devices.
Espressif IoT Development Framework versions 5.1.6-5.5.2 contain a use-after-free vulnerability in the BLE provisioning layer that allows remote attackers to trigger memory corruption when provisioning is stopped with keep_ble_on enabled. A connected BLE client can exploit freed GATT metadata through read/write callbacks to cause denial of service or potential code execution. Patches are available for all affected versions.
RIOT IoT operating system has an out-of-bounds read vulnerability (CVSS 9.1) that could lead to information disclosure or crashes on IoT devices.
Synectix LAN 232 TRIO serial-to-ethernet adapter exposes its web management interface without authentication (CVSS 10.0), enabling unauthenticated control of serial devices.
Kede Electronics IoT smart water meter monitoring platform v1.0 has a SQL injection allowing attackers to compromise the industrial monitoring database.
An API authentication bypass allows unauthenticated attackers to impersonate legitimate users. Maximum CVSS 10.0 with scope change. Requires knowledge of a legitimate user's identity.
RIOT OS ethos utility has a stack buffer overflow in _handle_char() due to missing bounds checking on serial frame data. Incoming frame bytes overflow a fixed-size stack buffer.
RIOT OS (IoT operating system) tapslip6 utility has a stack buffer overflow due to unbounded strcpy/strcat with user-controlled device name input. PoC available.
The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the configuration disables SCP and pseudo-TTY allocation, an attacker can authenticate using the hardcoded credentials and establish SSH local port forwarding to access the Docker socket. By mounting the host filesystem via Docker, an attacker can...
The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compr...
Command injection via the hostname field allowing authenticated code execution with maximum CVSS 10.0 and scope change.
Missing authentication on the HTTPS connectAP interface in TP-Link Tapo C200 V3 firmware (versions 1.3.3 through 1.4.1) allows adjacent network attackers to remotely reconfigure device Wi-Fi settings, causing permanent denial-of-service until manual intervention. The vulnerability exploits CWE-306 (Missing Authentication for Critical Function) with CVSS 8.7 severity, requiring only adjacent network access with low attack complexity and no user interaction. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the technical barrier is minimal for LAN-positioned adversaries.
CVE-2025-7503 is a security vulnerability (CVSS 10.0). Critical severity with potential for significant impact on affected systems.
CVE-2025-1727 is a critical vulnerability in RF-based remote linking protocols used for End-of-Train (EoT) and Head-of-Train (HoT/FRED) devices in railway operations. The vulnerability exploits a weak BCH checksum implementation that allows attackers to forge brake control commands using software-defined radios (SDR), potentially disrupting train operations or overwhelming brake systems. This affects railway infrastructure globally, with a CVSS score of 8.1 indicating high severity; active exploitation status and proof-of-concept availability are critical factors that determine immediate priority despite the attack requiring physical/adjacent network proximity.
CVE-2025-48890 is a critical OS command injection vulnerability in the miniigd SOAP service affecting WRH-733GBK and WRH-733GWH network storage devices. Remote unauthenticated attackers can execute arbitrary OS commands by sending specially crafted requests, achieving complete system compromise (CVSS 9.8). With an attack vector of Network/Low complexity/No privileges required, this vulnerability poses immediate risk to exposed devices.
CVE-2025-48466 is a security vulnerability (CVSS 8.1). Risk factors: public PoC available.
CVE-2025-34023 is a path traversal vulnerability in Karel IP1211 IP Phone's web management panel that allows remote authenticated attackers to read arbitrary files from the underlying system via unsanitized input to the /cgi-bin/cgiServer.exx endpoint's page parameter. This vulnerability affects IP phone administrators with network access to the management interface and carries a CVSS 8.5 score reflecting high confidentiality impact. Active exploitation evidence was documented by Shadowserver Foundation on 2025-02-02 UTC, indicating real-world attack activity.
A remote code execution vulnerability in versions from 2.5.0 to (CVSS 8.3). High severity vulnerability requiring prompt remediation. Vendor patch is available.
A command injection vulnerability (CVSS 9.8). Risk factors: public PoC available.
A buffer overflow vulnerability in A vulnerability classified as critical (CVSS 8.8). Risk factors: public PoC available.
Critical remote code execution vulnerability in WOLFBOX Level 2 EV Charger devices that exploits an exposed dangerous method in the Tuya communications module, allowing network-adjacent attackers to upload and execute arbitrary code despite authentication requirements. The authentication bypass mechanism combined with the exposed software upload functionality creates a high-severity attack path that can grant attackers complete control over affected EV charger installations. This vulnerability (formerly ZDI-CAN-26349) presents significant risk to vehicle charging infrastructure and connected IoT deployments relying on Tuya-based communication protocols.
A remote code execution vulnerability in IDF (CVSS 8.3). High severity vulnerability requiring prompt remediation.
CVE-2018-25112 is an unauthenticated network-based Denial-of-Service vulnerability affecting IEC 61131-compliant Industrial Logic Controllers (ILCs). An attacker can exhaust device resources by flooding the controller with crafted network traffic, rendering it unresponsive. With a CVSS score of 7.5 (High severity), no authentication required, and network-accessible attack surface, this poses significant risk to industrial control systems; however, exploitation likelihood depends on network exposure and whether patches are available from affected vendors.