Gaurav Baruah

**Name of the Vulnerable Software and Affected Versions** Synology Router Manager versions prior to 1.2.5-8227-6 Synology Router Manager versions prior to 1.3.1-9346-3 **Description** The issue is related to improper neutralization of special elements used in an OS command, allowing man-in-the-middle attackers to execute arbitrary commands. This can be exploited by remote attackers to execute commands via unspecified vectors. **Recommendations** For versions prior to 1.2.5-8227-6, update to version 1.2.5-8227-6 or later. For versions prior to 1.3.1-9346-3, update to version 1.3.1-9346-3 or later.

**Name of the Vulnerable Software and Affected Versions** Synology Router Manager versions prior to 1.2.5-8227-6 Synology Router Manager versions prior to 1.3.1-9346-3 **Description** The issue is related to an integer overflow or wraparound vulnerability in the CGI component of Synology Router Manager. This vulnerability can be exploited by a remote attacker to impact the confidentiality, integrity, and availability of protected information. The vulnerability allows remote attackers to overflow buffers via unspecified vectors. **Recommendations** For versions prior to 1.2.5-8227-6, update to version 1.2.5-8227-6 or later. For versions prior to 1.3.1-9346-3, update to version 1.3.1-9346-3 or later.

**Name of the Vulnerable Software and Affected Versions** Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers (affected versions not specified) Cisco Small Business RV160, RV160W, RV260, RV260P, RV260W, RV340, RV340W, RV345, RV345P (affected versions not specified) **Description** The issue is related to multiple vulnerabilities in Cisco Small Business Routers, which could allow an attacker to execute arbitrary code, elevate privileges, execute arbitrary commands, bypass authentication and authorization protections, fetch and run unsigned software, or cause denial of service (DoS). The vulnerability of the firmware update module is associated with incorrect certificate authentication, which can be exploited by a remote attacker to load arbitrary software images. **Recommendations** For Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For Cisco Small Business RV160, RV160W, RV260, RV260P, RV260W, RV340, RV340W, RV345, RV345P, consider restricting access to the firmware update module to minimize the risk of exploitation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Cisco Small Business RV Series Routers versions RV160, RV160W, RV260, RV260P, RV260W, RV340, RV340W, RV345, RV345P **Description** The issue concerns a vulnerability related to improper certificate validation in the firmware update process of the affected routers. This could allow an attacker to execute arbitrary code, elevate privileges, execute arbitrary commands, bypass authentication and authorization protections, fetch and run unsigned software, or cause denial of service (DoS). **Recommendations** For Cisco Small Business RV160, RV160W, RV260, RV260P, RV260W, RV340, RV340W, RV345, RV345P, consider disabling the firmware update feature until a patch is available. Restrict access to the firmware update module to minimize the risk of exploitation. Avoid using unsigned software on the affected devices until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: SolarWinds TFTP Server versions 9.2.0.111 and earlier Description: The issue allows remote attackers to cause a denial of service, resulting in the service stopping, via a crafted Option Acknowledgement (OACK) request. Recommendations: For SolarWinds TFTP Server versions 9.2.0.111 and earlier, consider disabling the service until a patch is available to prevent potential denial of service attacks.