Mccaulay Hudson

**Name of the Vulnerable Software and Affected Versions** Zyxel VMG4005-B50B versions prior to 5.13(ABRL.5.4)C0 **Description** A buffer overflow in the UPnP `AddPortMapping()` command allows an adjacent attacker to cause a temporary denial-of-service (DoS) condition, which is a state where a system becomes unavailable to its intended users, specifically affecting the UPnP function of the device. **Recommendations** Update to a version newer than 5.13(ABRL.5.4)C0. As a temporary workaround, restrict access to the `AddPortMapping()` command to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Zyxel VMG4005-B50B versions prior to 5.13(ABRL.5.4)C0 **Description** A buffer overflow occurs in the UPnP `DeletePortMapping()` command. This allows an adjacent attacker to cause a temporary denial-of-service (DoS) condition, which is a state where a system or network becomes unavailable to its intended users, specifically affecting the UPnP function of the device. **Recommendations** Update to a version newer than 5.13(ABRL.5.4)C0. As a temporary workaround, consider restricting access to the `DeletePortMapping()` command to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Tesla Telematics Control Unit (TCU) firmware versions prior to 2025.14 **Description** The Tesla Telematics Control Unit (TCU) firmware is susceptible to an authentication bypass. The TCU operates the Android Debug Bridge (adbd) with root privileges. Despite a security check intended to disable adb shell access, adb push/pull and adb forward functionalities remain accessible. An attacker with physical access can exploit this by writing an arbitrary file to a writable location and subsequently overwriting the kernel’s `uevent helper` or `/proc/sys/kernel/hotplug` entries through ADB. This allows for the execution of scripts with root privileges. **Recommendations** Update Tesla Telematics Control Unit (TCU) firmware to version 2025.14 or later.

**Name of the Vulnerable Software and Affected Versions** Phoenix Contact CHARX SEC-3100 (affected versions not specified) **Description** An unauthenticated remote attacker can use this issue to change the device configuration due to a file being writeable for a short time after system startup. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Phoenix Contact CHARX SEC-3000 versions up to 1.6.2 **Description** A remote unauthenticated attacker can use the firmware update feature on the LAN interface of the device to reset the password for the predefined, low-privileged user `user-app` to the default password. The issue is related to insecure default resource initialization. **Recommendations** For Phoenix Contact CHARX SEC-3000 versions up to 1.6.2, update the firmware to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the firmware update feature on the LAN interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** JSZip versions prior to 3.8.0 **Description** The issue is related to the `loadAsync` function in JSZip, which allows directory traversal via a crafted ZIP archive. This can be exploited by a remote attacker to write arbitrary files and execute arbitrary commands using a specially crafted malicious ZIP archive. **Recommendations** For versions prior to 3.8.0, update to version 3.8.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `loadAsync` function until a patch is available. Avoid using the `loadAsync` function with untrusted ZIP archives until the issue is resolved.