Information Disclosure

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / CVE-2025-4166. This issue has been fixed in OpenBao v2.3.0 and later. Like with HCSEC-2025-09, there is no known workaround except to ensure properly formatted requests from all clients.

CVE-2025-49152 is a security vulnerability (CVSS 8.7) that allows an attacker. High severity vulnerability requiring prompt remediation.

Discourse versions prior to 3.4.6 (stable) and 3.5.0.beta8-dev (tests-passed) contain an information disclosure vulnerability where users retain visibility of their own whisper-typed posts even after losing group membership that should restrict access to whispers. This is a logic flaw in the whisper visibility enforcement mechanism (CWE-200: Information Exposure) affecting unauthenticated network access with high confidentiality impact. No public exploitation has been reported, but the issue is easily discoverable through normal platform usage.

A SQL injection vulnerability in Student Record system Using PHP and MySQL v (CVSS 7.1) that allows a remote attacker. High severity vulnerability requiring prompt remediation.

A local, low-privileged attacker can learn the password of the connected controller in PLC Designer V4 due to an incorrect implementation that results in the password being displayed in plain text under special conditions.

Cyberduck and Mountain Duck improperly implement TLS certificate pinning by storing certificate fingerprints using the cryptographically weak SHA-1 algorithm instead of modern alternatives like SHA-256. This allows attackers to potentially forge or spoof self-signed certificates and perform man-in-the-middle (MITM) attacks against users of affected versions. The vulnerability affects Cyberduck through version 9.1.6 and Mountain Duck through version 4.17.5; while no public POC or active KEV exploitation is currently documented, the CVSS 7.4 rating reflects high confidentiality and integrity impact.

CVE-2025-41255 is a security vulnerability (CVSS 8.0). High severity vulnerability requiring prompt remediation.

A remote code execution vulnerability (CVSS 6.8). Remediation should follow standard vulnerability management procedures.

Certain devices expose serial numbers via HTTP/HTTPS/IPP and SNMP that can be used to generate the default administrator password. An unauthenticated attacker who discovers the serial number can calculate the admin password and gain full administrative control of the device without brute force.

An unauthenticated attacker who can access either the HTTP service (TCP port 80), the HTTPS service (TCP port 443), or the IPP service (TCP port 631), can leak several pieces of sensitive information from a vulnerable device. The URI path /etc/mnt_info.csv can be accessed via a GET request and no authentication is required. The returned result is a comma separated value (CSV) table of information. The leaked information includes the device’s model, firmware version, IP address, and serial number.

CVE-2025-0966 is a SQL injection vulnerability in IBM InfoSphere Information Server 11.7 that allows authenticated remote attackers to execute arbitrary SQL commands against the backend database. An attacker with valid credentials can view, add, modify, or delete sensitive information without administrative privileges. The vulnerability carries a CVSS score of 7.6 (High) and requires low attack complexity, making it a significant risk for organizations using affected versions.

A security vulnerability in RISC Zero (CVSS 1.7). Remediation should follow standard vulnerability management procedures.

A security vulnerability in Meshtastic-Android (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Allure 2 versions prior to 2.34.1 contain a critical XML External Entity (XXE) injection vulnerability in the xunit-xml-plugin that allows unauthenticated remote attackers to read arbitrary files from the server's filesystem and potentially trigger SSRF attacks. The vulnerability stems from insecure XML parser configuration in the DocumentBuilderFactory and is exploitable by uploading or providing malicious test result XML files without any authentication or user interaction required.

CVE-2025-52571 is a critical authentication bypass vulnerability in Hikka Telegram userbot affecting versions below 1.6.2 that allows unauthenticated attackers to gain unauthorized access to victims' Telegram accounts and full server control. The vulnerability has a CVSS score of 9.6 (Critical) with network-based exploitation requiring only user interaction; patch version 1.6.2 is available as the sole remediation with no known workarounds.

ControlID iDSecure On-premises versions 4.7.48.0 and prior contain SQL injection vulnerabilities that allow unauthenticated remote attackers to execute arbitrary SQL queries, potentially leaking sensitive information or modifying database contents. The CVSS 9.1 score reflects the critical nature (high confidentiality and integrity impact), though availability is not directly affected. Active exploitation status and proof-of-concept availability cannot be confirmed from provided data, but the unauthenticated, network-accessible attack vector makes this a high-priority vulnerability.

Kaleris NAVIS N4 ULC (Ultra Light Client) communicates insecurely using zlib-compressed data over HTTP. An attacker capable of observing network traffic between Ultra Light Clients and N4 servers can extract sensitive information, including plaintext credentials.

A remote code execution vulnerability in versions 10.0.0 (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

NVIDIA AIStore contains a vulnerability in the AIS Operator where a user may gain elevated k8s cluster access by using the ServiceAccount attached to the ClusterRole. A successful exploit of this vulnerability may lead to information disclosure.

CVE-2025-4378 is a critical authentication vulnerability in Ataturk University's ATA-AOF Mobile Application that combines cleartext transmission of sensitive information with hard-coded credentials, allowing unauthenticated attackers over the network to bypass authentication and abuse user accounts. All versions before 20.06.2025 are affected with a perfect CVSS 3.1 score of 10.0, indicating maximum severity across confidentiality, integrity, and availability dimensions.

CVE-2025-23265 is a code injection vulnerability in NVIDIA Megatron-LM's Python component that allows local attackers with low privileges to execute arbitrary code by providing a malicious file. Successful exploitation enables code execution, privilege escalation, information disclosure, and data tampering. This vulnerability affects all platforms running Megatron-LM and poses significant risk to machine learning infrastructure, particularly in multi-tenant or shared compute environments.

CVE-2025-23264 is a code injection vulnerability in NVIDIA Megatron-LM's Python component that allows local attackers with limited privileges to execute arbitrary code through malicious file inputs. This vulnerability affects all platforms running Megatron-LM and can lead to complete system compromise including code execution, privilege escalation, information disclosure, and data tampering. The attack requires local access and user interaction is not needed, making it a significant risk for multi-tenant environments and shared compute resources.

CVE-2025-36537 is a local privilege escalation vulnerability in TeamViewer Client (Full and Host) and Tensor prior to version 15.67 on Windows that allows an unprivileged local user to delete arbitrary files with SYSTEM privileges by exploiting improper permission assignment in the MSI rollback mechanism. The vulnerability is limited to Remote Management features (Backup, Monitoring, and Patch Management), has a CVSS score of 7.0, and requires local access with medium attack complexity but no user interaction. This vulnerability represents a significant elevation-of-privilege risk for organizations relying on TeamViewer for remote management.

CVE-2025-6032 is a TLS certificate validation bypass in Podman's machine init command that fails to verify certificates when downloading VM images from OCI registries, enabling Man-in-the-Middle (MITM) attacks. This affects users running Podman machine initialization on networked systems where attackers can intercept traffic. While the CVSS score of 8.3 indicates high severity with potential for confidentiality, integrity, and availability impact, real-world exploitation requires specific network positioning (AC:H - high attack complexity) and user interaction (UI:R), suggesting moderate practical risk despite the high base score.

CVE-2025-27827 is an information disclosure vulnerability in Mitel MiContact Center Business legacy chat component (versions through 10.2.0.3) that allows unauthenticated attackers to access sensitive chat data and session information through improper session handling. An attacker can exploit this to read active chat messages, join chat rooms without authorization, and send messages as legitimate users, requiring only user interaction to succeed. The CVSS 7.1 score reflects high confidentiality impact with limited integrity risk, though real-world exploitability depends on whether this is actively exploited (KEV status unknown from provided data) and patch availability from Mitel.

CVE-2025-6433 is a critical WebAuthn specification violation in Firefox and Thunderbird that allows attackers to present WebAuthn authentication challenges over non-secure TLS connections with user-granted exceptions. This bypasses the WebAuthn requirement for secure transport without errors, enabling credential theft and account compromise. Firefox < 140 and Thunderbird < 140 are affected; the network-based attack requires no privileges or user interaction beyond the initial certificate exception grant, resulting in a CVSS 9.8 critical rating.

CVE-2025-6432 is a DNS proxy bypass vulnerability in Firefox and Thunderbird when Mozilla's Multi-Account Containers extension is enabled. Under specific conditions-invalid domain names or unresponsive SOCKS proxies-DNS requests circumvent the configured SOCKS proxy, potentially exposing user browsing activity to network monitoring. This affects Firefox < 140 and Thunderbird < 140, has a high CVSS score of 8.6 reflecting significant confidentiality impact, and requires network-level access but no user interaction to exploit.

CVE-2025-6426 is a missing executable file warning vulnerability in Firefox and Thunderbird on macOS that fails to alert users before opening files with the 'terminal' extension, potentially allowing attackers to execute arbitrary code. This affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12 on macOS only. An attacker can leverage this to trick users into executing malicious terminal scripts by bypassing the security warning mechanism that normally prevents automatic execution of executable files.

An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.

A vulnerability exists in the IEC 61850 in MicroSCADA X SYS600 product. The certificate validation of the TLS protocol allows remote Man-in-the-Middle attack due to missing proper validation.

A vulnerability exists in the Web interface of the MicroSCADA X SYS600 product. The filtering query in the Web interface can be malformed, so returning data can leak unauthorized information to the user.

CVE-2025-39202 is a local privilege escalation vulnerability in MicroSCADA X SYS600's Monitor Pro interface that allows authenticated users with low privileges to read and overwrite arbitrary files, leading to information disclosure and data corruption. The vulnerability affects the SYS600 product line and requires local access with valid credentials; while the CVSS score of 7.3 indicates moderate-to-high severity, real-world exploitability depends on whether this vulnerability has been added to CISA's KEV catalog or has publicly available proof-of-concept code.

CVE-2025-2403 is a network-based denial-of-service vulnerability affecting ABB Relion 670/650 and SAM600-IO series devices, caused by improper prioritization of network traffic over protection mechanisms. An unauthenticated attacker can remotely trigger this vulnerability to malfunction critical functions such as the Line Distance Communication Module (LDCM), potentially causing service disruption in power distribution systems. With a CVSS score of 7.5 and network-accessible attack vector, this represents a significant threat to industrial control systems, particularly in electrical grid infrastructure.

CVE-2025-1718 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

CVE-2025-3092 is an unauthenticated user enumeration vulnerability affecting an unprotected endpoint that allows remote attackers to discover valid usernames without authentication or user interaction. The vulnerability has a CVSS score of 7.5 (High) with a vector indicating network-based attack with low complexity and no privileges required, resulting in high confidentiality impact. While the description does not specify affected product versions, CPE strings, or KEV/EPSS data, the high CVSS and information disclosure nature suggest this requires urgent patching in affected systems where user enumeration could enable follow-up attacks like credential brute-forcing or targeted social engineering.

CVE-2025-3090 is a critical authentication bypass vulnerability affecting network devices that exposes a missing authentication requirement for sensitive functions. The vulnerability allows unauthenticated remote attackers to obtain limited sensitive information and trigger denial-of-service conditions without requiring any user interaction or special privileges. If actively exploited (KEV status pending confirmation), this represents an immediate threat to exposed devices as the attack vector is network-based with low complexity.

CVE-2025-6560 is a critical authentication bypass vulnerability affecting multiple Sapido wireless router models, where unauthenticated remote attackers can directly access system configuration files containing plaintext administrator credentials. The affected models are end-of-life products with no vendor patches available; this vulnerability carries a CVSS 9.8 rating and likely has exploitation activity given the simplicity of the attack vector and lack of defensive complexity. Immediate device replacement is the only viable remediation.

Rejected reason: Not used. No vendor patch available.

Rejected reason: Not used. No vendor patch available.

Rejected reason: Not used. No vendor patch available.

Rejected reason: Not used. No vendor patch available.

Rejected reason: Not used. No vendor patch available.

Rejected reason: Not used. No vendor patch available.

Rejected reason: Not used. No vendor patch available.

Rejected reason: Not used. No vendor patch available.

Rejected reason: Not used. No vendor patch available.

SysmonElixir versions prior to 1.0.1 contain a path traversal vulnerability in the /read endpoint that allows unauthenticated remote attackers to read arbitrary files from the server, including sensitive system files like /etc/passwd. The vulnerability was patched in version 1.0.1 by implementing a whitelist restricting file reads to the priv/data directory. This is a high-severity information disclosure issue (CVSS 7.5) with no authentication required and network-accessible attack surface.

Kanboard prior to version 1.2.46 contains a host header injection vulnerability that allows unauthenticated attackers to craft malicious password reset emails with attacker-controlled URLs when the application_url configuration is unset (default state). If a victim clicks the poisoned reset link, their password reset token is leaked to the attacker's domain, enabling complete account takeover including administrative accounts. This vulnerability requires user interaction (clicking a link) but affects all users initiating password resets on vulnerable instances, making it a practical and high-impact attack vector for account compromise.

Successful exploitation of the vulnerability could allow an attacker to intercept data and conduct session hijacking on the exposed data as the vulnerable product uses unencrypted HTTP communication, potentially leading to unauthorised access or data tampering.

A remote code execution vulnerability (CVSS 5.0) that allows an unauthenticated attacker. Remediation should follow standard vulnerability management procedures.

CVE-2025-34038 is an unauthenticated SQL injection vulnerability in Weaver E-cology 8.0's getdata.jsp endpoint that allows attackers to execute arbitrary SQL queries by injecting malicious code through the unsanitized 'sql' parameter in the getSelectAllIds() method. The vulnerability affects Weaver E-cology 8.0 and enables attackers to extract sensitive data including administrator password hashes without authentication. Active exploitation has been observed by Shadowserver Foundation as of 2025-02-05, indicating this is a real and present threat in the wild.

A remote code execution vulnerability in xxyopen/201206030 novel-plus (CVSS 4.2). Risk factors: public PoC available.

CVE-2025-34034 is a hardcoded credential vulnerability in Blue Angel Software Suite deployed on embedded Linux systems that allows unauthenticated or low-privilege attackers to gain administrative access to the device's web interface through undisclosed default accounts. The vulnerability carries a CVSS score of 8.8 (High) and has been actively exploited in the wild as evidenced by Shadowserver Foundation observations on 2025-01-26 UTC. This is a critical authentication bypass affecting embedded/IoT deployments with significant real-world exploitation risk.

The Moodle LMS Jmol plugin version 6.1 and earlier contains a path traversal vulnerability in jsmol.php. The query parameter is passed directly to file_get_contents() without validation, allowing unauthenticated attackers to read arbitrary files from the Moodle server including configuration files with database credentials.

A security vulnerability in NOYAFA/Xiami LF9 Pro (CVSS 4.3). Risk factors: public PoC available.

A security vulnerability in SIFUSM/MZZYG BD S1 (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

A security vulnerability in 70mai M300 (CVSS 8.8). Risk factors: public PoC available.

A security vulnerability in 70mai M300 (CVSS 3.1). Risk factors: public PoC available.

A vulnerability, which was classified as problematic, has been found in 70mai M300 up to 20250611. This issue affects some unknown processing of the component HTTP Server. The manipulation leads to insufficiently protected credentials. The attack can only be done within the local network. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

A security vulnerability in 70mai 1S (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

A security vulnerability in versions (CVSS 6.4). Remediation should follow standard vulnerability management procedures.

CVE-2025-6545 is an improper input validation vulnerability in the pbkdf2 library (versions 3.0.10 through 3.1.2) affecting the lib/to-buffer.js file that enables signature spoofing through inadequate validation mechanisms. Attackers with network access and minimal attack complexity can compromise the integrity of PBKDF2-derived cryptographic signatures, potentially allowing unauthorized authentication or data tampering. The high CVSS score of 9.1 reflects critical integrity and scope impacts, though real-world exploitation likelihood depends on confirmation of active exploitation and proof-of-concept availability.

A security vulnerability in PySpur-Dev pyspur (CVSS 6.3). Remediation should follow standard vulnerability management procedures.

Visionatrix versions 1.5.0 through 2.5.0 contain a Reflected XSS vulnerability in the /docs/flows endpoint that allows unauthenticated attackers to execute arbitrary JavaScript in users' browsers. The vulnerability stems from improper use of FastAPI's get_swagger_ui_html function with unsanitized user-controlled input, enabling session hijacking and exfiltration of application secrets. The CVSS 8.8 score reflects high severity due to network accessibility, low attack complexity, and no privilege requirements, though user interaction is required to trigger the exploit.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Rated low severity (CVSS 2.8). No vendor patch available.

CVE-2023-47294 is a session cookie validation flaw in NCR Terminal Handler v1.5.1 that permits authenticated attackers with low privileges to craft malicious session cookies to arbitrarily deactivate, lock, and delete user accounts, resulting in high integrity and availability impact. This vulnerability has a CVSS 8.1 score (High severity) and affects NCR's point-of-sale and terminal management infrastructure; while no public POC or active KEV listing is confirmed from the provided data, the network-accessible nature (AV:N) and low attack complexity (AC:L) make this a material risk for organizations deploying this terminal handler in production environments.

An issue in NCR Terminal Handler 1.5.1 allows a low-level privileged authenticated attacker to query the SOAP API endpoint to obtain information about all of the users of the application including their usernames, roles, security groups and account statuses.

CVE-2023-47297 is a critical settings manipulation vulnerability in NCR Terminal Handler v1.5.1 that allows unauthenticated remote attackers to execute arbitrary commands and modify system security auditing configurations without authentication. With a CVSS score of 9.8 and network-accessible attack vector, this vulnerability poses an immediate threat to NCR terminal deployments in retail and financial environments. The vulnerability's presence in point-of-sale systems and payment terminals makes it particularly dangerous for organizations processing financial transactions.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Aviatrix Controller versions before 7.1.4208, 7.2.5090, and 8.0.0 lack rate limiting on password reset PIN attempts, allowing unauthenticated attackers to brute force 6-digit PINs over the network without authentication or user interaction. This vulnerability is characterized as having exploitation probability (E:P in CVSS vector) and enables complete account takeover via password reset bypass, affecting all Aviatrix Controller deployments in vulnerable versions.

CVE-2025-6513 is a local privilege escalation vulnerability in the BRAIN2 application where standard Windows users can access and decrypt the application's database configuration file without authentication. This allows unprivileged local users to obtain database credentials and potentially compromise sensitive data, with a CVSS score of 9.3 indicating critical severity. The vulnerability affects system confidentiality, integrity, and availability across trust boundaries.

A security vulnerability in Innoshop through 0.4.1 (CVSS 6.4). Remediation should follow standard vulnerability management procedures.

Out-of-bounds Read vulnerability in dail8859 NotepadNext (src/lua/src modules). This vulnerability is associated with program files lparser.C. This issue affects NotepadNext: through v0.11. The singlevar() in lparser.c lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code.

CVE-2025-52937 is a security vulnerability (CVSS 2.0). Remediation should follow standard vulnerability management procedures.

CVE-2025-52936 is a symlink following vulnerability (CWE-59) in sslh before version 2.2.2 that allows local attackers with low privileges to bypass file access controls and potentially achieve high-impact confidentiality and integrity violations. The vulnerability enables attackers to read, modify, or delete sensitive files through improper resolution of symbolic links during file operations. With a CVSS v4.0 score of 9.3 and an attack vector limited to local access requiring low privileges, this is a critical local privilege escalation risk for multi-user systems running vulnerable sslh versions.

OPPO Clone Phone devices implement a WiFi hotspot file transfer feature that uses weak default or easily guessable passwords, allowing unauthenticated attackers on the local network to connect and access sensitive files without authentication. This vulnerability (CVE-2025-27387) carries a CVSS score of 7.4 with high confidentiality impact, though exploitation requires physical proximity to the affected device's WiFi network. No active exploitation in the wild has been confirmed in public KEV databases, but the attack surface is significant given the prevalence of file-sharing features in budget smartphone lines.

A vulnerability classified as problematic has been found in HTACG tidy-html5 5.8.0. Affected is the function defaultAlloc of the file src/alloc.c. The manipulation leads to memory leak. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.

A security vulnerability in scan.rs in spytrap-adb (CVSS 2.7). Remediation should follow standard vulnerability management procedures.

A security vulnerability in Sangfor aTrust through 2.4.10 (CVSS 4.3) that allows users. Risk factors: public PoC available.

A security vulnerability in Yealink RPS (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

The Yealink RPS API before 2025-05-26 lacks rate limiting, potentially enabling information disclosure via excessive requests.

A remote code execution vulnerability (CVSS 2.2). Remediation should follow standard vulnerability management procedures.

A Cross-Site Scripting (XSS) vulnerability has been identified in Psono-Client’s handling of vault entries of type website_password and bookmark, as used in Bitdefender SecurePass. The client does not properly sanitize the URL field in these entries. As a result, an attacker can craft a malicious vault entry (or trick a user into creating or importing one) with a javascript:URL. When the user interacts with this entry (for example, by clicking or opening it), the application will execute the malicious JavaScript in the context of the Psono vault. This allows an attacker to run arbitrary code in the victim’s browser, potentially giving them access to the user’s password vault and sensitive data.

CVE-2025-3629 is a security vulnerability (CVSS 4.3) that allows an authenticated user. Remediation should follow standard vulnerability management procedures.

DNN (DotNetNuke) CMS versions 6.0.0 through 10.0.0 contain a vulnerability that can expose NTLM hashes to a third-party SMB server. Through a specially crafted series of interactions, an attacker can force the DNN server to authenticate to an attacker-controlled SMB server, capturing NTLM credential hashes for offline cracking.

CVE-2025-52557 is a stored/reflected XSS vulnerability in Mail-0's Zero email solution (version 0.8) that allows unauthenticated attackers to craft malicious emails containing unexecuted JavaScript code. When a victim opens the email in the web interface, the JavaScript executes in their browser context, enabling session hijacking and potential account takeover. The vulnerability has been patched in version 0.81, and exploitation requires user interaction (opening the email), making it a moderate-to-high severity issue suitable for rapid patching.

rfc3161-client is a Python library implementing the Time-Stamp Protocol (TSP) described in RFC 3161. Prior to version 1.0.3, there is a flaw in the timestamp response signature verification logic. In particular, chain verification is performed against the TSR's embedded certificates up to the trusted root(s), but fails to verify the TSR's own signature against the timestamping leaf certificates. Consequently, vulnerable versions perform insufficient signature validation to properly consider a TSR verified, as the attacker can introduce any TSR signature so long as the embedded leaf chains up to some root TSA. This issue has been patched in version 1.0.3. There is no workaround for this issue.

PEAK-System Driver PCANFD_ADD_FILTERS Time-Of-Check Time-Of-Use Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of PEAK-System Driver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of the PCANFD_ADD_FILTERS IOCTL. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the kernel. Was ZDI-CAN-24161.

CVE-2025-34023 is a path traversal vulnerability in Karel IP1211 IP Phone's web management panel that allows remote authenticated attackers to read arbitrary files from the underlying system via unsanitized input to the /cgi-bin/cgiServer.exx endpoint's page parameter. This vulnerability affects IP phone administrators with network access to the management interface and carries a CVSS 8.5 score reflecting high confidentiality impact. Active exploitation evidence was documented by Shadowserver Foundation on 2025-02-02 UTC, indicating real-world attack activity.