Mathy Vanhoef

**Name of the Vulnerable Software and Affected Versions** macOS Sequoia versions prior to 15.7.4 macOS Sonoma versions prior to 14.8.4 macOS Tahoe versions prior to 26.3 tvOS versions prior to 26.3 watchOS versions prior to 26.3 iOS versions prior to 18.7.5 iPadOS versions prior to 18.7.5 visionOS versions prior to 26.3 **Description** A logic issue exists that was addressed through improved checks. An attacker positioned on a privileged network may be able to intercept network traffic. **Recommendations** Update macOS Sequoia to version 15.7.4. Update macOS Sonoma to version 14.8.4. Update macOS Tahoe to version 26.3. Update tvOS to version 26.3. Update watchOS to version 26.3. Update iOS to version 18.7.5. Update iPadOS to version 18.7.5. Update visionOS to version 26.3.

**Name of the Vulnerable Software and Affected Versions** macOS versions prior to Tahoe 26.3 **Description** A permissions issue existed where an application could potentially access protected user data. This was addressed through the implementation of additional restrictions. **Recommendations** Update to macOS Tahoe 26.3.

Name of the Vulnerable Software and Affected Versions: linux (affected versions not specified) Description: The Linux kernel contains a flaw within its Wi-Fi functionality that could allow for attacks in mesh networks. This issue relates to A-MSDU (Aggregated MAC Service Data Unit) frames and can be mitigated with a patch. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 18.4 visionOS versions prior to 2.4 iOS versions prior to 18.4 iPadOS versions prior to 18.4 macOS Sequoia versions prior to 15.4 **Description** The issue allows an app to gain unauthorized access to the Local Network due to inadequate permissions checking. **Recommendations** For Safari versions prior to 18.4, update to Safari 18.4. For visionOS versions prior to 2.4, update to visionOS 2.4. For iOS versions prior to 18.4, update to iOS 18.4. For iPadOS versions prior to 18.4, update to iPadOS 18.4. For macOS Sequoia versions prior to 15.4, update to macOS Sequoia 15.4.

**Name of the Vulnerable Software and Affected Versions** IPv6 versions (affected versions not specified) **Description** The issue concerns IPv4-in-IPv6 and IPv6-in-IPv6 tunneling, as defined in RFC 2473, which does not require validation or verification of the source of a network packet. This allows an attacker to spoof and route arbitrary traffic via an exposed network interface. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IPv6-in-IPv4 tunneling (RFC 4213) versions not specified **Description** The issue is related to the IPv6-in-IPv4 tunneling protocol, which allows an attacker to spoof and route traffic via an exposed network interface. This can be exploited by a remote attacker to conduct attacks, such as spoofing a trusted object, by sending a specially crafted packet with two IP headers. The vulnerability is associated with insufficient source channel verification in packet tunneling protocols. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** macOS versions prior to 13.7 iOS versions prior to 17.7 iPadOS versions prior to 17.7 visionOS versions prior to 2 macOS Sonoma versions prior to 14.7 macOS Sequoia versions prior to 15 **Description** A logic issue was addressed with improved checks, which may cause network traffic to leak outside a VPN tunnel, potentially leading to data exposure. **Recommendations** For macOS versions prior to 13.7, update to macOS Ventura 13.7 or later. For iOS versions prior to 17.7, update to iOS 17.7 or later. For iPadOS versions prior to 17.7, update to iPadOS 17.7 or later. For visionOS versions prior to 2, update to visionOS 2 or later. For macOS Sonoma versions prior to 14.7, update to macOS Sonoma 14.7 or later. For macOS Sequoia versions prior to 15, update to macOS Sequoia 15 or later.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 18 iPadOS versions prior to 18 **Description** This issue allows an app to gain unauthorized access to the Local Network. The problem was addressed through improved state management. **Recommendations** For iOS versions prior to 18, update to iOS 18 to resolve the issue. For iPadOS versions prior to 18, update to iPadOS 18 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** macOS Ventura versions prior to 13.7 iOS versions prior to 17.7 iPadOS versions prior to 17.7 visionOS versions prior to 2 watchOS versions prior to 11 macOS Sequoia versions prior to 15 iOS versions prior to 18 iPadOS versions prior to 18 macOS Sonoma versions prior to 14.7 tvOS versions prior to 18 **Description** The issue was addressed with improved memory handling. An app may be able to cause unexpected system termination. **Recommendations** For macOS Ventura versions prior to 13.7, update to macOS Ventura 13.7. For iOS versions prior to 17.7, update to iOS 17.7. For iPadOS versions prior to 17.7, update to iPadOS 17.7. For visionOS versions prior to 2, update to visionOS 2. For watchOS versions prior to 11, update to watchOS 11. For macOS Sequoia versions prior to 15, update to macOS Sequoia 15. For iOS versions prior to 18, update to iOS 18. For iPadOS versions prior to 18, update to iPadOS 18. For macOS Sonoma versions prior to 14.7, update to macOS Sonoma 14.7. For tvOS versions prior to 18, update to tvOS 18.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 17.7 iPadOS versions prior to 17.7 Xcode versions prior to 16 visionOS versions prior to 2 watchOS versions prior to 11 macOS Sequoia versions prior to 15 tvOS versions prior to 18 **Description** This issue allows an app to gain unauthorized access to Bluetooth due to inadequate state management. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For iOS versions prior to 17.7, update to iOS 17.7 or later. For iPadOS versions prior to 17.7, update to iPadOS 17.7 or later. For Xcode versions prior to 16, update to Xcode 16 or later. For visionOS versions prior to 2, update to visionOS 2 or later. For watchOS versions prior to 11, update to watchOS 11 or later. For macOS Sequoia versions prior to 15, update to macOS Sequoia 15 or later. For tvOS versions prior to 18, update to tvOS 18 or later.

**Name of the Vulnerable Software and Affected Versions** IEEE 802.11 standard (affected versions not specified) **Description** The issue is related to the IEEE 802.11 standard, which sometimes enables an adversary to trick a victim into connecting to an unintended or untrusted network. This occurs because the SSID is not always used to derive the pairwise master key or session keys, and there is not a protected exchange of an SSID during a 4-way handshake. The problem affects all operating systems and Wi-Fi clients, including home and mesh networks based on WEP, WPA3, 802.11X/EAP, and AMPE protocols. An estimated number of potentially affected devices worldwide is not explicitly mentioned, but it is implied that the issue is widespread, affecting billions of devices. There is no information about real-world incidents where this issue was exploited. Technical details about exploitation include: - **API Endpoints:** Not specified - **Vulnerable Parameters or Variables:** `SSID` (network identifier) - **Function Names:** Not specified **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. However, proposed measures to mitigate the issue include updating the Wi-Fi standard to include SSID in the 4-way handshake when connecting to protected networks and improving beacon protection. As a temporary workaround, consider avoiding credential reuse and being cautious when connecting to Wi-Fi networks.

Name of the Vulnerable Software and Affected Versions: SCALANCE W1748-1 M12 (6GK5748-1GY01-0AA0) SCALANCE W1748-1 M12 (6GK5748-1GY01-0TA0) SCALANCE W1788-1 M12 (6GK5788-1GY01-0AA0) SCALANCE W1788-2 EEC M12 (6GK5788-2GY01-0TA0) SCALANCE W1788-2 M12 (6GK5788-2GY01-0AA0) SCALANCE W1788-2IA M12 (6GK5788-2HY01-0AA0) SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AA0) SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AB0) SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AA0) SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AB0) SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AC0) SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA0) SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA6) SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AB0) SCALANCE W734-1 RJ45 (USA) (6GK5734-1FX00-0AB6) SCALANCE W738-1 M12 (6GK5738-1GY00-0AA0) SCALANCE W738-1 M12 (6GK5738-1GY00-0AB0) SCALANCE W748-1 M12 (6GK5748-1GD00-0AA0) SCALANCE W748-1 M12 (6GK5748-1GD00-0AB0) SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AA0) SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AB0) SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AA0) SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AB0) SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TA0) SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TB0) SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA0) SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA6) SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AB0) SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AC0) SCALANCE W774-1 RJ45 (USA) (6GK5774-1FX00-0AB6) SCALANCE W778-1 M12 (6GK5778-1GY00-0AA0) SCALANCE W778-1 M12 (6GK5778-1GY00-0AB0) SCALANCE W778-1 M12 EEC (6GK5778-1GY00-0TA0) SCALANCE W778-1 M12 EEC (USA) (6GK5778-1GY00-0TB0) SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AA0) SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AB0) SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AA0) SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AB0) SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AC0) SCALANCE W786-2 SFP (6GK5786-2FE00-0AA0) SCALANCE W786-2 SFP (6GK5786-2FE00-0AB0) SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AA0) SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AB0) SCALANCE W788-1 M12 (6GK5788-1GD00-0AA0) SCALANCE W788-1 M12 (6GK5788-1GD00-0AB0) SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AA0) SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AB0) SCALANCE W788-2 M12 (6GK5788-2GD00-0AA0) SCALANCE W788-2 M12 (6GK5788-2GD00-0AB0) SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TA0) SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TB0) SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TC0) SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AA0) SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AB0) SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AC0) SCALANCE WAM763-1 (6GK5763-1AL00-7DA0) SCALANCE WAM766-1 (EU) (6GK5766-1GE00-7DA0) SCALANCE WAM766-1 (US) (6GK5766-1GE00-7DB0) SCALANCE WAM766-1 EEC (EU) (6GK5766-1GE00-7TA0) SCALANCE WAM766-1 EEC (US) (6GK5766-1GE00-7TB0) SCALANCE WUM763-1 (6GK5763-1AL00-3AA0) SCALANCE WUM763-1 (6GK5763-1AL00-3DA0) SCALANCE WUM766-1 (EU) (6GK5766-1GE00-3DA0) SCALANCE WUM766-1 (US) (6GK5766-1GE00-3DB0) Description: A vulnerability has been identified in Siemens SCALANCE products, allowing an attacker to override a client's security context. This could enable a physically proximate attacker to decrypt frames meant for the victim. The issue is related to authentication bypass via spoofing, which may allow a remote attacker to elevate their privileges. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** iNet wireless daemon (IWD) versions prior to 2.14 **Description** The issue allows attackers to gain unauthorized access to a protected Wi-Fi network by skipping certain messages in the EAPOL handshake and sending a message with an all-zero key. This can be done by exploiting the Access Point functionality in the eapol auth key handle function in eapol.c. The vulnerability affects private networks and is particularly dangerous for PCs running Linux, as it exposes home networks using a Linux device as an access point, allowing unauthorized access without a password. **Recommendations** For versions prior to 2.14, update to version 2.14 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable Access Point functionality until a patch is available. Avoid using the `eapol auth key handle` function in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions WireGuard client version 0.5.3 Description The WireGuard client version 0.5.3 on Windows has an insecure configuration of the operating system and firewall. This configuration can block traffic to a local network using non-RFC1918 IP addresses. An attacker can exploit this to trick a user into blocking IP traffic to specific IP addresses and services, even while the VPN is active. This issue can result in disruption of access to network resources. Recommendations Update to a newer version of the WireGuard client that addresses this firewall configuration issue.

**Name of the Vulnerable Software and Affected Versions** Clario VPN client versions 5.9.1.1662 and earlier **Description** The issue is related to the insecure configuration of the operating system by the Clario VPN client, which allows all IP traffic to the VPN server's IP address to be sent in plaintext outside the VPN tunnel. This can be exploited by an adversary to trick the victim into sending plaintext traffic to the VPN server's IP address, thereby deanonymizing the victim. The vulnerability is also referred to as the "ServerIP attack" for traffic to the real IP address of the VPN server. **Recommendations** For Clario VPN client versions 5.9.1.1662 and earlier, consider disabling the VPN client until a patch is available to prevent exploitation of the vulnerability. Restrict access to the VPN server's IP address to minimize the risk of deanonymization. Avoid sending sensitive traffic to the VPN server's IP address until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Avira Phantom VPN versions through 2.23.1 **Description** An issue was discovered in Avira Phantom VPN where the VPN client insecurely configures the operating system, sending all IP traffic to the VPN server's IP address in plaintext outside the VPN tunnel. This occurs even if the traffic is not generated by the VPN client, and simultaneously uses plaintext DNS to look up the VPN server's IP address. This allows an adversary to trick the victim into sending traffic to arbitrary IP addresses in plaintext outside the VPN tunnel. **Recommendations** For Avira Phantom VPN versions through 2.23.1, update to a version later than 2.23.1 to resolve the issue. As a temporary workaround, consider restricting access to the VPN server's IP address to minimize the risk of exploitation. Avoid using plaintext DNS to look up the VPN server's IP address until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Clario VPN client versions 5.9.1.1662 and earlier **Description** The issue concerns the insecure configuration of the operating system by the Clario VPN client, which results in traffic to the local network being sent in plaintext outside the VPN tunnel, even when the local network uses a non-RFC1918 IP subnet. This allows an adversary to trick the victim into sending arbitrary IP traffic in plaintext outside the VPN tunnel. The problem is related to the lack of protection for transmitted data. **Recommendations** For Clario VPN client versions 5.9.1.1662 and earlier, update to a version that fixes the insecure configuration issue to prevent traffic from being sent in plaintext outside the VPN tunnel. As a temporary workaround, consider restricting access to the local network to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** wpa supplicant versions through 2.10 **Description** The issue is related to the implementation of PEAP in wpa supplicant, which allows authentication bypass. For a successful attack, wpa supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap peap decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks. Up to 2.3 billion user devices may be exposed to this issue, including Android, Linux, and ChromeOS devices. **Recommendations** For wpa supplicant versions through 2.10, consider disabling the use of PEAP until a patch is available. Restrict access to Enterprise Wi-Fi networks to minimize the risk of exploitation. Avoid using configurations that do not verify the network's TLS certificate during Phase 1 authentication. As a temporary workaround, consider configuring wpa supplicant to verify the network's TLS certificate during Phase 1 authentication to prevent authentication bypass.

**Name of the Vulnerable Software and Affected Versions** wolfSSL versions through 5.0.0 **Description** The issue allows an attacker to cause a denial of service and infinite loop in the client component by sending crafted traffic from a Machine-in-the-Middle (MITM) position. The root cause is that the client module accepts TLS messages that normally are only sent to TLS servers. **Recommendations** For wolfSSL versions through 5.0.0, update to a version later than 5.0.0 to resolve the issue. As a temporary workaround, consider restricting the acceptance of TLS messages in the client module to prevent infinite loops.

**Name of the Vulnerable Software and Affected Versions** Qualcomm Snapdragon (affected versions not specified) **Description** The issue is related to improper authentication of EAP WAPI EAPOL frames from unauthenticated users, which can lead to information disclosure. This affects various Qualcomm Snapdragon products, including Compute, Connectivity, Consumer Electronics Connectivity, Consumer IOT, Industrial IOT, Mobile, and Wired Infrastructure and Networking. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.