Sina Kheirkhah

An Exposed Dangerous Method or Function vulnerability in Synology C2 Identity Edge Server package in DSM before 1.76.0-0307 allows remote attackers to obtain user credentials from the edge server.

Name of the Vulnerable Software and Affected Versions M-Files Server versions prior to 26.3 Description A blind server-side request forgery (SSRF) vulnerability exists in legacy connection methods of document co-authoring features. An unauthenticated attacker can cause the server to send HTTP GET requests to arbitrary URLs. Recommendations Update M-Files Server to version 26.3 or later.

Name of the Vulnerable Software and Affected Versions: SmarterTools SmarterMail versions prior to build 9511 Description: SmarterTools SmarterMail contains an authentication bypass vulnerability in the password reset API. The `force-reset-password` endpoint at `/api/v1/admin/force-reset-password` permits anonymous requests and does not verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator `username` and a new `password` to reset the account, resulting in full administrative compromise of the SmarterMail instance. SmarterMail system administrator privileges grant the ability to execute operating system commands. This vulnerability has been actively exploited in the wild, with reports of Warlock ransomware operators gaining access and moving laterally through networks. Approximately 6,000 instances were identified as potentially vulnerable. Exploitation involves resetting admin passwords and leveraging built-in features for remote code execution. Recommendations: Upgrade to build 9511 or later immediately. Restrict API access via IP allowlisting. Deploy a Web Application Firewall (WAF) for the `/force-reset-password` endpoint. Implement geo-blocking for admin interfaces. Review access logs for external POST requests, unauthorized admin changes, and new account creations. Rotate exposed credentials.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.2.3 through 12.2.14 **Description** Oracle E-Business Suite is affected by a critical remote code execution (RCE) vulnerability (CVE-2025-61882). This flaw allows unauthenticated attackers to execute arbitrary code, potentially leading to full system compromise and data theft. The vulnerability is actively exploited by the Cl0p ransomware group. Exploitation involves bypassing authentication through the BI Publisher Integration component, utilizing SSRF, CRLF injection, and XSLT template manipulation. A public proof-of-concept exploit is available. Multiple organizations have been impacted, with reports of data exfiltration and extortion attempts. Indicators of compromise (IOCs) have been shared by security researchers. **Recommendations** Oracle E-Business Suite versions 12.2.3 through 12.2.14: Apply the security patch released by Oracle immediately.

**Name of the Vulnerable Software and Affected Versions** Fortinet FortiSIEM versions 5.4.0 through 7.3.1 Fortinet FortiSIEM versions 6.1 through 7.3.1 Fortinet FortiSIEM versions 6.7 through 7.5 Fortinet FortiSIEM versions 7.0.0 through 7.0.3 Fortinet FortiSIEM versions 7.1.0 through 7.1.7 Fortinet FortiSIEM versions 7.2.0 through 7.2.5 **Description** Fortinet FortiSIEM is affected by an improper neutralization of special elements used in an OS command, also known as OS Command Injection (CWE-78). This allows an unauthenticated attacker to execute arbitrary code or commands via crafted CLI requests. Active exploitation of this issue has been confirmed, and exploit code is publicly available. The vulnerability impacts the phMonitor port (TCP/7900). There have been reports of brute-force attacks targeting Fortinet products preceding exploitation of this flaw. **Recommendations** Fortinet FortiSIEM versions 5.4.0 through 7.3.1: Upgrade to version 7.3.2 or later. Fortinet FortiSIEM versions 6.1 through 6.7.9: Upgrade to version 6.7.10 or later. Fortinet FortiSIEM versions 7.0.0 through 7.0.3: Upgrade to version 7.0.4 or later. Fortinet FortiSIEM versions 7.1.0 through 7.1.7: Upgrade to version 7.1.8 or later. Fortinet FortiSIEM versions 7.2.0 through 7.2.5: Upgrade to version 7.2.6 or later. As a temporary workaround, restrict access to the phMonitor port (TCP/7900).

**Name of the Vulnerable Software and Affected Versions** Kenwood DMX958XR (affected versions not specified) **Description** This issue allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices without authentication. The flaw resides within the firmware update process due to insufficient validation of user-supplied strings before they are used in system calls, enabling an attacker to execute code with root privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Dell Unity versions prior to 5.5.1 Dell UnityVSA versions prior to 5.5.1 **Description** Dell Unity and UnityVSA contain an Improper Neutralization of Special Elements used in an OS Command vulnerability, also known as OS Command Injection. An unauthenticated, remote attacker could potentially exploit this issue to execute arbitrary commands on the system. The vulnerability stems from improper handling of login redirect URIs, allowing an attacker to insert shell metacharacters into a command execution string during the redirect process. This could lead to unauthorized configuration changes, data access, or complete control over the appliance. **Recommendations** Upgrade to version 5.5.1 or later to address this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SMA100 series (affected versions not specified) **Description** A heap-based buffer overflow exists in the web interface. This allows a remote, unauthenticated attacker to cause a Denial of Service (DoS) or potentially achieve code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SonicWall SMA100 series **Description** A stack-based buffer overflow vulnerability in the web interface allows a remote, unauthenticated attacker to cause a Denial of Service (DoS) or potentially achieve code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SMA100 series versions (affected versions not specified) **Description** A reflected cross-site scripting (XSS) vulnerability exists in the web interface, allowing a remote unauthenticated attacker to potentially execute arbitrary JavaScript code. Cross-site scripting (XSS) is a type of security flaw that allows attackers to inject malicious scripts into web pages viewed by other users. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sophos Intercept X for Windows with Central Device Encryption versions 2025.1 and older **Description** A local privilege escalation vulnerability allows arbitrary code execution. **Recommendations** Update Sophos Intercept X for Windows with Central Device Encryption to a version later than 2025.1.

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: An unauthenticated adjacent attacker can configure a new OCPP backend due to insecure defaults for the configuration interface. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WOLFBOX Level 2 EV Charger (affected versions not specified) **Description** This issue allows network-adjacent attackers to execute arbitrary code on affected installations. Although authentication is required to exploit this issue, the existing authentication mechanism can be bypassed. The flaw exists within the Tuya communications module software, resulting from the exposure of a method that allows the upload of crafted software images to the module. An attacker can leverage this issue to execute code in the context of the device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Alpine iLX-507 (affected versions not specified) **Description** This issue allows physically present attackers to execute arbitrary code on affected installations. Authentication is not required for exploitation. The flaw resides within the `UPDM wstpCBCUpdStart` function due to insufficient validation of user-supplied data before executing a system call, enabling an attacker to execute code with root privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SysAid On-Prem versions 23.3.40 and earlier **Description** SysAid On-Prem is affected by an unauthenticated XML External Entity (XXE) issue in the Server URL processing functionality. This allows for administrator account takeover and file read operations. The issue is due to improper restriction of XML external entity references. Reports indicate active exploitation of this issue. **Recommendations** Versions prior to 23.3.40 should be updated.

**Name of the Vulnerable Software and Affected Versions** SysAid On-Prem versions 23.3.40 and earlier **Description** SysAid On-Prem software is affected by an unauthenticated XML External Entity (XXE) issue in the `lshw` processing functionality. Exploitation of this issue may allow a remote attacker to take control of administrator accounts and read files. The vulnerability resides in the `doPost` method of the `com.ilient.agentApi.LshwAgent` component when processing requests to the `/lshw` API endpoint. The issue involves improper restriction of XML references to external entities. The vulnerable parameter is not explicitly specified. **Recommendations** SysAid On-Prem versions 23.3.40 and earlier should be updated to a newer, fixed version.

**Name of the Vulnerable Software and Affected Versions** SysAid On-Prem versions 23.3.40 and earlier **Description** SysAid On-Prem is affected by an unauthenticated XML External Entity (XXE) issue in the Checkin processing functionality. This allows for administrator account takeover and file read capabilities. Multiple reports indicate this issue, identified as CVE-2025-2775, can be chained with other flaws to achieve remote code execution (RCE). The vulnerability resides in the improper restriction of XML external entity references, specifically when processing check-in requests. Exploitation involves submitting malicious XML payloads, potentially through the `/api/v1/servicenow` endpoint. The `XML` input is vulnerable. This allows attackers to potentially exfiltrate sensitive data. Several sources indicate the vulnerability is actively exploited. **Recommendations** Update SysAid On-Prem to version 24.4.60 b16 or later. As a temporary workaround, disable XXE processing. Monitor API logs for suspicious activity. Restrict access to the Checkin processing functionality.

**Name of the Vulnerable Software and Affected Versions** Sophos Intercept X for Windows with Central Device Encryption versions 2024.2.0 and earlier **Description** A local privilege escalation vulnerability in Sophos Intercept X for Windows with Central Device Encryption allows writing of arbitrary files. This issue is related to the use of unsupported third-party components in the Device Encryption component. Exploitation of this vulnerability may allow an attacker to write arbitrary files. **Recommendations** For Sophos Intercept X for Windows with Central Device Encryption version 2024.2.0 and earlier, update to version 2024.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the Device Encryption component to minimize the risk of exploitation. Avoid using the vulnerable component until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Veeam Backup & Replication (affected versions not specified) Description: The issue is related to insecure deserialization in Veeam Backup & Replication, allowing a low-privileged user to connect to remoting services and exploit this vulnerability by sending a serialized temporary file collection. This can enable an attacker to delete any file on the system with service account privileges. The vulnerability is caused by an insufficient blacklist during the deserialization process. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ChargePoint Home Flex (affected versions not specified) **Description** This issue allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex charging stations. No authentication is required to exploit this issue. The specific flaw exists within the `wlanapp` module, resulting from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this issue to execute code in the context of root. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.