Matt Wiseman

**Name of the Vulnerable Software and Affected Versions** Hikvision Access Control Products (affected versions not specified) **Description** A stack overflow issue exists in the device Search and Discovery feature of Hikvision Access Control Products. An attacker on the same local area network (LAN) can cause the device to malfunction by sending specially crafted packets to an unpatched device. The issue does not require authentication. Millions of surveillance systems globally may be affected. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MC LR Router version 2.10.5 **Description** The issue is related to OS command injection vulnerabilities in the web interface I/O configuration functionality. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities, specifically through the attacker-controlled `out1` parameter. The vulnerability occurs in the code where the `out1` parameter is used to construct a command that is executed by the `system()` function. **Recommendations** For MC LR Router version 2.10.5, consider disabling the `out1` parameter in the web interface I/O configuration functionality as a temporary workaround until a patch is available. Restrict access to the vulnerable web interface to minimize the risk of exploitation. Avoid using the `out1` parameter in authenticated HTTP requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MC LR Router version 2.10.5 **Description** An OS command injection vulnerability exists in the web interface configuration upload functionality. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. **Recommendations** For version 2.10.5, patch immediately to prevent potential system compromise. As a temporary workaround, consider restricting access to the web interface configuration upload functionality until a patch is available. Monitor for exploit attempts to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MC LR Router version 2.10.5 **Description** The issue concerns OS command injection vulnerabilities in the web interface I/O configuration functionality. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities, specifically through the attacker-controlled `btn1` parameter. **Recommendations** For MC LR Router version 2.10.5, consider restricting access to the web interface I/O configuration functionality until a patch is available. As a temporary workaround, avoid using the `btn1` parameter in authenticated HTTP requests to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MC LR Router version 2.10.5 **Description** The issue concerns OS command injection vulnerabilities in the web interface I/O configuration functionality. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities, specifically through the attacker-controlled `timer1` parameter, at offset `0x8e80`. **Recommendations** For MC LR Router version 2.10.5, consider restricting access to the web interface I/O configuration functionality until a patch is available. As a temporary workaround, avoid using the `timer1` parameter in authenticated HTTP requests to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AutomationDirect P3-550E version 1.2.10.9 **Description** The issue is related to insufficient protection of service data in the implementation of debug code, which can be exploited by a remote attacker to execute arbitrary code or cause a denial of service. A leftover debug code vulnerability exists in the Telnet Diagnostic Interface functionality, allowing unauthorized access through a specially crafted series of network requests. **Recommendations** For AutomationDirect P3-550E version 1.2.10.9, consider disabling the Telnet Diagnostic Interface functionality as a temporary workaround until a patch is available. Restrict access to the diagnostic interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AutomationDirect P3-550E version 1.2.10.9 **Description** The issue is related to insufficient data authentication in the scan lib.bin library of the AutomationDirect P3-550E programmable logic controller's software. This can allow a remote attacker to execute arbitrary code or cause a denial of service by exploiting the vulnerability. A specially crafted scan lib.bin file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. **Recommendations** For AutomationDirect P3-550E version 1.2.10.9, consider disabling the scan lib.bin functionality until a patch is available to prevent arbitrary code execution. Restrict access to the scan lib.bin file to minimize the risk of exploitation. Avoid using malicious or unverified scan lib.bin files to prevent triggering the vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AutomationDirect P3-550E version 1.2.10.9 **Description** A write-what-where issue exists in the Programming Software Connection Remote Memory Diagnostics functionality. This allows an attacker to send a specially crafted network packet, leading to an arbitrary write. The vulnerability can be triggered by an unauthenticated packet, potentially enabling a remote attacker to execute arbitrary code or cause a denial of service. **Recommendations** For AutomationDirect P3-550E version 1.2.10.9, consider disabling the Remote Memory Diagnostics functionality until a patch is available to prevent potential exploitation. Restrict access to the affected component to minimize the risk of arbitrary code execution or denial of service.

Name of the Vulnerable Software and Affected Versions: AutomationDirect P3-550E version 1.2.10.9 Description: Several out-of-bounds write vulnerabilities exist in the Programming Software Connection FileSystem API functionality. Specially crafted network packets can lead to heap-based memory corruption. An attacker can send malicious packets to trigger these vulnerabilities, potentially allowing a remote attacker to cause a denial of service. The arbitrary null-byte write vulnerability is located at offset `0xb69c8`. Recommendations: For AutomationDirect P3-550E version 1.2.10.9, as a temporary workaround, consider restricting access to the Programming Software Connection FileSystem API functionality until a patch is available. Avoid using the vulnerable API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: AutomationDirect P3-550E version 1.2.10.9 Description: A heap-based buffer overflow vulnerability exists in the Programming Software Connection CurrDir functionality. This issue can be triggered by a specially crafted network packet, leading to denial of service. An attacker can send an unauthenticated packet to exploit this vulnerability, which occurs when a call to `memset` relies on an attacker-controlled length value and corrupts any trailing heap allocations at offset `0xb686c` of the P3-550E firmware. Recommendations: For AutomationDirect P3-550E version 1.2.10.9, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: AutomationDirect P3-550E version 1.2.10.9 Description: The issue is related to out-of-bounds write vulnerabilities in the Programming Software Connection FileSystem API functionality. Specially crafted network packets can lead to heap-based memory corruption. An attacker can send malicious packets to trigger these vulnerabilities, potentially causing a denial of service. The arbitrary null-byte write vulnerability is located at offset `0xb6a38` in firmware 1.2.10.9 of the P3-550E. Recommendations: For AutomationDirect P3-550E version 1.2.10.9, consider disabling the FileSystem API functionality until a patch is available to prevent exploitation of the out-of-bounds write vulnerabilities. Restrict access to the Programming Software Connection to minimize the risk of malicious packet delivery. Avoid using the offset `0xb6a38` in the affected firmware until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AutomationDirect P3-550E version 1.2.10.9 **Description** A read-what-where vulnerability exists in the Programming Software Connection IMM 01A1 Memory Read functionality. This vulnerability can be triggered by a specially crafted network packet, leading to the disclosure of sensitive information. An attacker can send an unauthenticated packet to exploit this issue. The vulnerability is related to insufficient access control in the Programming Software Connection component of the AutomationDirect P3-550E programmable logic controllers. **Recommendations** For AutomationDirect P3-550E version 1.2.10.9, consider restricting access to the Programming Software Connection IMM 01A1 Memory Read functionality until a patch is available. As a temporary workaround, disabling the vulnerable functionality may help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: AutomationDirect P3-550E version 1.2.10.9 Description: A stack-based buffer overflow vulnerability exists in the Programming Software Connection FileSelect functionality. This issue can be triggered by a specially crafted network packet, leading to a stack-based buffer overflow. An attacker can send an unauthenticated packet to exploit this vulnerability, potentially allowing remote execution of arbitrary code. The vulnerability occurs at offset `0xb6e84` of version 1.2.10.9 of the P3-550E firmware. Recommendations: For AutomationDirect P3-550E version 1.2.10.9, consider disabling the FileSelect functionality in the Programming Software Connection until a patch is available to prevent exploitation of the stack-based buffer overflow vulnerability.

Name of the Vulnerable Software and Affected Versions: AutomationDirect P3-550E version 1.2.10.9 Description: The issue is related to out-of-bounds write vulnerabilities in the Programming Software Connection FileSystem API functionality. Specially crafted network packets can lead to heap-based memory corruption. An attacker can send malicious packets to trigger these vulnerabilities, potentially allowing a remote attacker to cause a denial of service. The arbitrary null-byte write vulnerability is located in firmware 1.2.10.9 of the P3-550E at offset `0xb69fc`. Recommendations: For AutomationDirect P3-550E version 1.2.10.9, consider disabling the FileSystem API functionality until a patch is available to prevent exploitation of the out-of-bounds write vulnerabilities. Restrict access to the Programming Software Connection to minimize the risk of malicious packet delivery. Avoid using the offset `0xb69fc` in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: AutomationDirect P3-550E version 1.2.10.9 Description: The issue is related to out-of-bounds write vulnerabilities in the Programming Software Connection FileSystem API functionality. Specially crafted network packets can lead to heap-based memory corruption. An attacker can send malicious packets to trigger these vulnerabilities, potentially causing a denial of service. The arbitrary null-byte write vulnerability is located at offset `0xb6bdc`. Recommendations: For AutomationDirect P3-550E version 1.2.10.9, consider disabling the FileSystem API functionality until a patch is available to prevent exploitation of the out-of-bounds write vulnerabilities. Restrict access to the Programming Software Connection to minimize the risk of remote attackers sending malicious packets. Avoid using the offset `0xb6bdc` in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: AutomationDirect P3-550E version 1.2.10.9 Description: A stack-based buffer overflow vulnerability exists in the Programming Software Connection FileSelect functionality. This issue can be triggered by a specially crafted network packet, allowing an attacker to send an unauthenticated packet and potentially execute arbitrary code. The vulnerability occurs at offset `0xb6e98` of version 1.2.10.9 of the P3-550E firmware. Recommendations: For AutomationDirect P3-550E version 1.2.10.9, consider disabling the FileSelect functionality in the Programming Software Connection until a patch is available to prevent potential exploitation. Restrict access to the network to minimize the risk of receiving specially crafted packets. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: AutomationDirect P3-550E version 1.2.10.9 Description: The issue is related to out-of-bounds write vulnerabilities in the Programming Software Connection FileSystem API functionality. These vulnerabilities can be triggered by specially crafted network packets, leading to heap-based memory corruption. An attacker can exploit this by sending malicious packets, potentially causing a denial of service. The arbitrary null-byte write vulnerability is located in firmware 1.2.10.9 of the P3-550E at offset `0xb6c18`. Recommendations: For AutomationDirect P3-550E version 1.2.10.9, consider disabling the Programming Software Connection FileSystem API functionality until a patch is available to prevent exploitation. Restrict access to the vulnerable API endpoint to minimize the risk of heap-based memory corruption. Avoid using the offset `0xb6c18` in the affected firmware until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: AutomationDirect P3-550E version 1.2.10.9 Description: The issue is related to out-of-bounds write vulnerabilities in the Programming Software Connection FileSystem API functionality. Specially crafted network packets can lead to heap-based memory corruption. An attacker can send malicious packets to trigger these vulnerabilities, potentially causing a denial of service. The arbitrary null-byte write vulnerability is located at offset `0xb6aa4`. Recommendations: For AutomationDirect P3-550E version 1.2.10.9, consider restricting access to the FileSystem API functionality until a patch is available. As a temporary workaround, avoid using the vulnerable API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: AutomationDirect P3-550E version 1.2.10.9 Description: A heap-based buffer overflow issue exists in the Programming Software Connection FiBurn functionality. This can be triggered by a specially crafted network packet, leading to a buffer overflow. An attacker can send an unauthenticated packet to exploit this issue, potentially resulting in a denial of service. Recommendations: For AutomationDirect P3-550E version 1.2.10.9, consider restricting access to the FiBurn functionality until a patch is available. As a temporary workaround, disabling the FiBurn functionality may help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Peplink Smart Reader version 1.2.0 **Description** An information disclosure vulnerability exists in the web interface functionality of the `/cgi-bin/download config.cgi` endpoint. A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. **Recommendations** For Peplink Smart Reader version 1.2.0, consider restricting access to the `/cgi-bin/download config.cgi` endpoint until a patch is available. As a temporary workaround, avoid using this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.