14
CVEs
0
Critical
10
High
0
KEV
0
PoC
4
Unpatched C/H
57.1%
Patch Rate
0.0%
Avg EPSS
Severity Breakdown
CRITICAL
0
HIGH
10
MEDIUM
4
LOW
0
Monthly CVE Trend
Affected Products (13)
Indoor Connect 8855 Firmware
4
Ipecs Nms
4
Drutt Mobile Service Delivery Platform
3
Bscs Ix R18 Billing Rating Admx
2
Enterprise Content Management
2
Network Manager
2
Bscs Ix R18 Billing Rating Mx
2
Operations Support System Radio And Core Firmware
2
Open Redirect
1
PostgreSQL
1
Rx8200 Firmware
1
Network Location
1
Active Library Explorer
1
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2025-40837 | Ericsson Indoor Connect 8855 contains a missing authorization vulnerability which if exploited can allow access to the system as a user with higher privileges than intended. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available. | HIGH | 8.7 | 0.1% | 44 |
No patch
|
| CVE-2025-27261 | Ericsson Indoor Connect 8855 contains an SQL injection vulnerability which if exploited can result in unauthorized disclosure or modification of data. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available. | HIGH | 8.7 | 0.0% | 44 |
No patch
|
| CVE-2025-40842 | A Cross-Site Scripting (XSS) vulnerability exists in Ericsson Indoor Connect 8855 versions prior to 2025.Q3, classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). An attacker can inject malicious scripts into the web interface, potentially leading to unauthorized disclosure and modification of sensitive information. No CVSS score, EPSS data, or KEV status is currently available, and no public proof-of-concept has been disclosed, though the vulnerability has been formally documented by Ericsson's Product Security Incident Response Team (PSIRT). | HIGH | 8.5 | 0.0% | 43 |
|
| CVE-2025-27260 | Ericsson Indoor Connect 8855 prior to version 2025.Q3 contains an Improper Filtering of Special Elements vulnerability (CWE-790) that allows attackers to bypass input validation controls and achieve unauthorized modification of sensitive information. This vulnerability affects all versions of the Indoor Connect 8855 product line below the 2025.Q3 release. No CVSS score, CVSS vector, EPSS data, or active exploitation status is currently available in public sources, limiting quantitative risk assessment, though the CWE-790 classification suggests the vulnerability involves inadequate sanitization of special characters or metacharacters in user input. | HIGH | 7.2 | 0.0% | 36 |
|
| CVE-2026-25657 | Denial of service in Ericsson Packet Core Gateway (PCG) versions prior to 1.30 allows an adjacent-network attacker to degrade service by continuously transmitting malformed messages that the gateway fails to parse safely. The condition causes recurring crashes that persist only while the attack is active, with automatic recovery once it stops, and no public exploit identified at time of analysis. | HIGH | 7.1 | 0.0% | 36 |
|
| CVE-2026-25658 | Denial of service in Ericsson Packet Core Gateway (PCG) versions prior to 1.30 allows adjacent network attackers to degrade service availability by continuously transmitting specially crafted messages that trigger improper handling of missing values (CWE-230). The affected PCG nodes crash repeatedly under sustained attack but self-recover once traffic stops, so impact is transient yet operationally significant for mobile core networks. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV. | HIGH | 7.1 | 0.0% | 36 |
|
| CVE-2026-25659 | Denial of service in Ericsson Packet Core Gateway (PCG) versions prior to 1.30 allows an adjacent-network attacker to degrade telecom packet core service by continuously sending a specially crafted message that triggers improper handling of missing values (CWE-230). The condition persists only while the attack is sustained - the system self-recovers once traffic stops - and no public exploit identified at time of analysis, but the CVSS 4.0 score of 7.1 reflects high availability impact on a carrier-grade network function. | HIGH | 7.1 | 0.0% | 36 |
|
| CVE-2025-59174 | Denial-of-service in Ericsson Packet Core Controller (PCC) versions prior to 1.39 allows an adjacent-network attacker without credentials to degrade service by flooding the controller with specially crafted messages. The CVSS 4.0 score of 7.1 reflects high availability impact with no confidentiality or integrity loss; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. | HIGH | 7.1 | 0.0% | 36 |
|
| CVE-2024-53828 | Ericsson Packet Core Controller (PCC) versions prior to 1.38 contain a vulnerability where an attacker sending a large volume of specially crafted messages may cause service degradation. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required. | MEDIUM | 5.3 | 0.0% | 27 |
|
| CVE-2025-40838 | Ericsson Indoor Connect 8855 contains a vulnerability where server-side security can be bypassed in the client which if exploited can lead to unauthorized disclosure of certain information. Rated low severity (CVSS 2.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available. | MEDIUM | 5.1 | 0.0% | 26 |
No patch
|
| CVE-2025-40841 | A Cross-Site Request Forgery (CSRF) vulnerability exists in Ericsson Indoor Connect 8855 prior to version 2025.Q3 that allows attackers to perform unauthorized modification of certain information by tricking authenticated users into executing malicious requests. The vulnerability affects the Ericsson Indoor Connect 8855 product line and can be exploited to compromise the integrity of system data without explicit user awareness. No active exploitation in the wild (KEV status) or public proof-of-concept has been confirmed at this time, though the attack vector is typically network-based with low to medium complexity. | MEDIUM | 5.1 | 0.0% | 26 |
|
| CVE-2024-25011 | Ericsson Catalog Manager and Ericsson Order Care APIs do not have authentication enabled by default. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | MEDIUM | 5.3 | 0.0% | – |
No patch
|
| CVE-2025-27262 | Ericsson Indoor Connect 8855 contains a command injection vulnerability which if exploited can result in an escalation of privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. No vendor patch available. | HIGH | 8.5 | 0.0% | – |
No patch
|
| CVE-2025-40836 | Ericsson Indoor Connect 8855 contains an improper input validation vulnerability which if exploited can allow an attacker to execute commands with escalated privileges. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available. | HIGH | 8.7 | 0.1% | – |
No patch
|