Jacob Baines

**Name of the Vulnerable Software and Affected Versions** Four-Faith F3x36 router version 2.0.0 **Description** The issue is related to authentication bypass due to hard-coded credentials in the administrative web server. An attacker with knowledge of the credentials can gain administrative access via crafted HTTP requests. **Recommendations** For Four-Faith F3x36 router version 2.0.0, consider changing the hard-coded credentials in the administrative web server to prevent unauthorized access. As a temporary workaround, restrict access to the administrative web server until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Four-Faith F3x36 router version 2.0.0 **Description** The issue concerns an authentication bypass in the administrative web server of the Four-Faith F3x36 router. Specifically, authentication is not enforced on some administrative functionality when using the "bapply.cgi" endpoint instead of the normal "apply.cgi" endpoint. This allows a remote and unauthenticated user to modify settings or chain with existing authenticated vulnerabilities. **Recommendations** For Four-Faith F3x36 router version 2.0.0, consider disabling access to the "bapply.cgi" endpoint until a patch is available to prevent unauthorized modifications to settings. Restrict access to administrative functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Netgear FVS336Gv2 (affected versions not specified) Netgear FVS336Gv3 (affected versions not specified) Description: The issue concerns a command injection vulnerability in the Telnet interface. An authenticated and remote attacker can execute arbitrary OS commands as root over Telnet by sending crafted `util backup configuration` commands. Recommendations: For Netgear FVS336Gv2, consider disabling the Telnet interface until a patch is available. For Netgear FVS336Gv3, restrict access to the `util backup configuration` command to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco RV340 and RV345 Dual WAN Gigabit VPN Routers (affected versions not specified) **Description** A vulnerability in the upload module could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This issue is due to insufficient boundary checks when processing specific HTTP requests. An attacker could exploit this by sending crafted HTTP requests to an affected device, potentially allowing the execution of arbitrary code as the root user on the underlying operating system. **Recommendations** For Cisco RV340 and RV345 Dual WAN Gigabit VPN Routers, consider disabling the upload module as a temporary workaround until a patch is available. Restrict access to the device to minimize the risk of exploitation. Avoid using the vulnerable upload functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ASUS ExpertWiFi version (affected versions not specified) ASUS RT-AX55 version (affected versions not specified) ASUS RT-AX58U version (affected versions not specified) ASUS RT-AC67U version (affected versions not specified) ASUS RT-AC68R version (affected versions not specified) ASUS RT-AC68U version (affected versions not specified) ASUS RT-AX86 version (affected versions not specified) ASUS RT-AC86U version (affected versions not specified) ASUS RT-AX88U version (affected versions not specified) ASUS RT-AX3000 version (affected versions not specified) **Description** The issue is a code execution vulnerability affecting ASUS routers that support custom OpenVPN profiles. An authenticated and remote attacker can execute arbitrary operating system commands by uploading a crafted OVPN profile. **Recommendations** For all affected ASUS router models, consider disabling custom OpenVPN profile support until a patch is available. Restrict access to the OVPN profile upload feature to minimize the risk of exploitation. Avoid using the custom OpenVPN profile feature in the affected routers until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Grandstream UCM Series IP PBX versions prior to 1.0.20.52 **Description** The issue is related to a parameter injection vulnerability in the HTTP interface. A remote and authenticated attacker can execute arbitrary code by sending a crafted HTTP request. Authentication may be possible using a default user and password. The affected models are the UCM6202, UCM6204, UCM6208, and UCM6510. **Recommendations** For versions prior to 1.0.20.52, update the firmware to version 1.0.20.52 or later to resolve the issue. As a temporary workaround, consider restricting access to the HTTP interface until the update is applied. Additionally, changing default user and password settings can help minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MikroTik RouterOS versions prior to 6.49.10 **Description** The web server used by MikroTik RouterOS is affected by a heap memory corruption issue. A remote and unauthenticated attacker can corrupt the server's heap memory by sending a crafted HTTP request. As a result, the web interface crashes and is immediately restarted. **Recommendations** For versions prior to 6.49.10, update to RouterOS 6.49.10 stable or later to resolve the issue. As a temporary workaround, consider restricting access to the web interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CENTUM CS 3000 versions R3.08.10 through R3.09.00 CENTUM VP versions R4.01.00 through R4.03.00 CENTUM VP versions R5.01.00 through R5.04.20 CENTUM VP versions R6.01.00 through R6.09.00 Exaopc versions R3.72.00 through R3.80.00 B/M9000 CS versions R5.04.01 through R5.05.01 B/M9000 VP versions R6.01.01 through R8.03.01 **Description** The issue is related to a violation of secure design principles in the communication of CAMS for HIS. An adjacent attacker can compromise a computer using CAMS for HIS software and use credentials from the compromised machine to access data from another machine using CAMS for HIS software. This can lead to a disabling of CAMS for HIS software functions on any affected machines, or information disclosure/alteration. **Recommendations** For CENTUM CS 3000 versions R3.08.10 through R3.09.00, update to a version outside of this range to mitigate the risk. For CENTUM VP versions R4.01.00 through R4.03.00, update to a version outside of this range to mitigate the risk. For CENTUM VP versions R5.01.00 through R5.04.20, update to a version outside of this range to mitigate the risk. For CENTUM VP versions R6.01.00 through R6.09.00, update to a version outside of this range to mitigate the risk. For Exaopc versions R3.72.00 through R3.80.00, update to a version outside of this range to mitigate the risk, but only if NTPF100-S6 'For CENTUM VP Support CAMS for HIS' is installed. For B/M9000 CS versions R5.04.01 through R5.05.01, update to a version outside of this range to mitigate the risk. For B/M9000 VP versions R6.01.01 through R8.03.01, update to a version outside of this range to mitigate the risk.

**Name of the Vulnerable Software and Affected Versions** Windows Print Spooler versions prior to the version with the security update released by Microsoft **Description** The issue is related to insufficient access restrictions in the Windows Print Spooler service, allowing a remote attacker to execute arbitrary code with SYSTEM privileges by loading a malicious DLL library. This could enable the attacker to install programs, view, change, or delete data, or create new accounts with full user rights. **Recommendations** For Windows Print Spooler versions prior to the version with the security update released by Microsoft: Install the security updates provided by Microsoft immediately to address this issue. Additionally, consider changing the Point and Print default behavior as described in KB5005652. As a temporary workaround, consider restricting access to the Windows Print Spooler service until the security update is applied.

**Name of the Vulnerable Software and Affected Versions** Grandstream UCM6200 series versions prior to 1.0.19.20 Grandstream UCM6200 series versions prior to 1.0.20.17 **Description** The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. This issue is related to errors in input data validation. An attacker can exploit this to execute shell commands as root or inject HTML in password recovery emails. **Recommendations** For versions prior to 1.0.19.20, update to version 1.0.19.20 or later to resolve the issue. For versions prior to 1.0.20.17, update to version 1.0.20.17 or later to prevent HTML injection in password recovery emails. As a temporary workaround, consider restricting access to the HTTP interface until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** ELOG versions 3.1.4-57bea22 and below **Description** The issue is related to a denial of service vulnerability caused by a NULL pointer dereference. A remote unauthenticated attacker can crash the ELOG server by sending a crafted HTTP GET request to a vulnerable API endpoint, such as "/api/elog". **Recommendations** For ELOG versions 3.1.4-57bea22 and below, consider restricting access to the ELOG server until a fix is available to prevent potential denial of service attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ELOG versions 3.1.4-57bea22 and below **Description** The issue is related to a denial of service due to a use after free, where a remote unauthenticated attacker can crash the server by sending multiple HTTP POST requests. This causes the `retrieve url()` function to use a freed variable, leading to the denial of service. **Recommendations** For ELOG versions 3.1.4-57bea22 and below, as a temporary workaround, consider restricting access to the `retrieve url()` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** RouterOS versions 6.45.6 and below RouterOS version 6.44.5 Long-term and below **Description** The issue allows a remote attacker to poison the router's DNS cache via malicious responses with additional and untrue records. This is due to the router adding all A records to its DNS cache even when the records are unrelated to the domain that was queried. The vulnerability exists because of insufficient input validation, which can allow an attacker to cause damage to the integrity of the data in the DNS system. **Recommendations** For RouterOS versions 6.45.6 and below, update to a version above 6.45.6 to resolve the issue. For RouterOS version 6.44.5 Long-term and below, update to a version above 6.44.5 to resolve the issue. As a temporary workaround, consider restricting access to the `winbox dns request` to minimize the risk of exploitation. Avoid using the vulnerable DNS cache functionality until the issue is resolved. Restrict access to the TCP port 8291 (Winbox) to prevent remote attackers from exploiting the vulnerability.

**Name of the Vulnerable Software and Affected Versions** Amcrest IP2M-841B version 2.520.AC00.18.R Dahua IPC-XXBXX version 2.622.0000000.9.R Dahua IPC HX5X3X and HX4X3X version 2.800.0000008.0.R Dahua DH-IPC HX883X and DH-IPC-HX863X version 2.622.0000000.7.R Dahua DH-SD4XXXXX version 2.623.0000000.7.R Dahua DH-SD5XXXXX version 2.623.0000000.1.R Dahua DH-SD6XXXXX versions 2.623.0000000.1.R through 2.640.0000000.2.R Dahua NVR5XX-4KS2 version 3.216.0000006.0.R Dahua NVR4XXX-4KS2 version 3.216.0000006.0.R Dahua NVR2XXX-4KS2 (affected versions not specified) **Description** The issue allows an unauthenticated, remote person to access the HTTP endpoint "/videotalk" without requiring authentication. This could potentially allow the person to listen to the audio of the capturing device. **Recommendations** For Amcrest IP2M-841B version 2.520.AC00.18.R, consider disabling access to the "/videotalk" endpoint until a patch is available. For Dahua IPC-XXBXX version 2.622.0000000.9.R, restrict access to the "/videotalk" endpoint to minimize the risk of exploitation. For Dahua IPC HX5X3X and HX4X3X version 2.800.0000008.0.R, avoid using the "/videotalk" endpoint until the issue is resolved. For Dahua DH-IPC HX883X and DH-IPC-HX863X version 2.622.0000000.7.R, consider implementing authentication for the "/videotalk" endpoint as a temporary workaround. For Dahua DH-SD4XXXXX version 2.623.0000000.7.R, restrict access to the "/videotalk" endpoint to minimize the risk of exploitation. For Dahua DH-SD5XXXXX version 2.623.0000000.1.R, avoid using the "/videotalk" endpoint until the issue is resolved. For Dahua DH-SD6XXXXX versions 2.623.0000000.1.R through 2.640.0000000.2.R, consider disabling access to the "/videotalk" endpoint until a patch is available. For Dahua NVR5XX-4KS2 version 3.216.0000006.0.R, restrict access to the "/videotalk" endpoint to minimize the risk of exploitation. For Dahua NVR4XXX-4KS2 version 3.216.0000006.0.R, avoid using the "/videotalk" endpoint until the issue is resolved. For Dahua NVR2XXX-4KS2, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco RV110W Wireless-N VPN Firewall versions (affected versions not specified) Cisco RV130W Wireless-N Multifunction VPN Router versions (affected versions not specified) Cisco RV215W Wireless-N VPN Router versions (affected versions not specified) **Description** The issue is related to errors in the authorization procedure of the web-based management interface, which could allow a remote attacker to access protected information. Specifically, the vulnerability is due to improper authorization of an HTTP request, allowing an unauthenticated attacker to access the syslog file on an affected device by accessing its URL. **Recommendations** For Cisco RV110W Wireless-N VPN Firewall, update the firmware to a version that fixes the authorization procedure error. For Cisco RV130W Wireless-N Multifunction VPN Router, update the firmware to a version that fixes the authorization procedure error. For Cisco RV215W Wireless-N VPN Router, update the firmware to a version that fixes the authorization procedure error. As a temporary workaround, consider restricting access to the syslog file URL to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Crestron AM-100 version 1.6.0.2 Crestron AM-101 version 2.7.0.1 Barco wePresent WiPG-1000P version 2.3.0.10 Barco wePresent WiPG-1600W versions prior to 2.4.1.19 Extron ShareLink 200/250 version 2.0.3.4 Teq AV IT WIPS710 version 1.1.0.7 SHARP PN-L703WA version 1.4.2.3 Optoma WPS-Pro version 1.0.0.5 Blackbox HD WPS version 1.0.0.5 InFocus LiteShow3 version 1.0.16 InFocus LiteShow4 version 2.0.0.7 **Description** The issue allows a remote, unauthenticated attacker to execute operating system commands as root via command injection through the "file transfer.cgi" HTTP endpoint. **Recommendations** For Crestron AM-100 version 1.6.0.2, consider disabling access to the "file transfer.cgi" endpoint until a patch is available. For Crestron AM-101 version 2.7.0.1, consider disabling access to the "file transfer.cgi" endpoint until a patch is available. For Barco wePresent WiPG-1000P version 2.3.0.10, consider disabling access to the "file transfer.cgi" endpoint until a patch is available. For Barco wePresent WiPG-1600W versions prior to 2.4.1.19, update to firmware 2.4.1.19 or later. For Extron ShareLink 200/250 version 2.0.3.4, consider disabling access to the "file transfer.cgi" endpoint until a patch is available. For Teq AV IT WIPS710 version 1.1.0.7, consider disabling access to the "file transfer.cgi" endpoint until a patch is available. For SHARP PN-L703WA version 1.4.2.3, consider disabling access to the "file transfer.cgi" endpoint until a patch is available. For Optoma WPS-Pro version 1.0.0.5, consider disabling access to the "file transfer.cgi" endpoint until a patch is available. For Blackbox HD WPS version 1.0.0.5, consider disabling access to the "file transfer.cgi" endpoint until a patch is available. For InFocus LiteShow3 version 1.0.16, consider disabling access to the "file transfer.cgi" endpoint until a patch is available. For InFocus LiteShow4 version 2.0.0.7, consider disabling access to the "file transfer.cgi" endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MikroTik RouterOS versions Stable 6.43.12 and below MikroTik RouterOS versions Long-term 6.42.12 and below MikroTik RouterOS versions Testing 6.44beta75 and below **Description** The issue is related to directory traversal errors in the restricted access directory path. An authenticated, remote attack can exploit this to read and write files outside of the sandbox directory (/rw/disk) via the HTTP or Winbox interfaces. **Recommendations** For MikroTik RouterOS versions Stable 6.43.12 and below, update to a version above 6.43.12 to resolve the issue. For MikroTik RouterOS versions Long-term 6.42.12 and below, update to a version above 6.42.12 to resolve the issue. For MikroTik RouterOS versions Testing 6.44beta75 and below, update to a version above 6.44beta75 to resolve the issue. As a temporary workaround, consider restricting access to the HTTP and Winbox interfaces until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MikroTik RouterOS versions prior to 6.43.12 MikroTik RouterOS versions prior to 6.42.12 **Description** The issue is related to privilege management errors in the operating system. It allows a remote attacker to bypass firewall policies. The software executes user-defined network requests to both WAN and LAN clients, which can be used for bypassing the router's firewall or for network scanning activities. **Recommendations** For versions prior to 6.43.12, update to version 6.43.12 or later. For versions prior to 6.42.12, update to version 6.42.12 or later. As a temporary workaround, consider restricting access to the network to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Netatalk versions prior to 3.1.12 **Description** The issue is related to a lack of bounds checking on attacker-controlled data in the dsi opensess.c file, which can lead to an out of bounds write. This allows a remote unauthenticated attacker to potentially achieve arbitrary code execution. **Recommendations** For versions prior to 3.1.12, update to version 3.1.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the dsi opensess.c functionality until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** WebAccess/SCADA version 8.3.2 **Description** The issue is related to the lack of proper validation of user-supplied input, which may allow an attacker to cause a buffer overflow on the stack. **Recommendations** For WebAccess/SCADA version 8.3.2, update to a newer version that addresses the input validation issue to prevent potential buffer overflow attacks.