Stephen Fewer

**Name of the Vulnerable Software and Affected Versions** Cisco Catalyst SD-WAN Controller (affected versions not specified) Cisco Catalyst SD-WAN Manager (affected versions not specified) Cisco Catalyst SD-WAN versions prior to 20.12.6.2 **Description** A critical authentication bypass exists in the peering authentication mechanism of the control connection handshaking process. The flaw resides in the `vdaemon` service, where the system fails to properly validate incoming certificates and tokens if specific header options are altered. An unauthenticated remote attacker can exploit this by mimicking a legitimate network controller or vHub, sending crafted handshake packets or DTLS connections with self-signed certificates to induce a state-mismatch. This causes the validation subsystem to fall back to a permissive state, granting the attacker an administrative session token as a high-privileged internal user. Successful exploitation provides access to NETCONF, allowing the attacker to manipulate global routing tables, inject malicious routing policies, modify network configurations for the SD-WAN fabric, and potentially escalate to root privileges. Real-world incidents involve a state-sponsored actor designated as UAT-8616, who has used this flaw to add SSH keys, deploy web shells, run XMRig miners, and steal AWS keys. **Recommendations** Update Cisco Catalyst SD-WAN to version 20.12.6.2 or newer. Modify edge firewall rules to drop all traffic targeting controller management or synchronization ports unless it originates from pre-verified static IP addresses of known infrastructure peers. Restrict all inbound external access to NETCONF endpoints globally. Audit controller logs for unauthorized peering attachment sequences or abrupt configuration changes. Perform a full user inventory via the CLI to identify unauthorized secondary administrative accounts. Export global routing and security policy tables to perform a diff analysis against known-good backup baselines.

Name of the Vulnerable Software and Affected Versions Brother MFC-L2710DW printers (affected versions not specified) Description A flaw exists in the firmware of Brother MFC-L2710DW printers that can lead to information disclosure regarding files and directories. Successful exploitation may allow a remote attacker to gain unauthorized access to protected information. The vulnerability involves the 'uscan' protocol from the eSCL specification, potentially revealing the serial number of the printer. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PostgreSQL versions prior to 17.3 PostgreSQL versions prior to 16.7 PostgreSQL versions prior to 15.11 PostgreSQL versions prior to 14.16 PostgreSQL versions prior to 13.19 **Description** The issue is related to improper neutralization of quoting syntax in PostgreSQL libpq functions, specifically `PQescapeLiteral()`, `PQescapeIdentifier()`, `PQescapeString()`, and `PQescapeStringConn()`. This allows a database input provider to achieve SQL injection in certain usage patterns, particularly when the application uses the function result to construct input to `psql`, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when `client encoding` is BIG5 and `server encoding` is one of EUC TW or MULE INTERNAL. The vulnerability has been exploited in real-world attacks, including the US Treasury hack, and is considered high-severity. **Recommendations** For versions prior to 17.3, update to version 17.3 or later. For versions prior to 16.7, update to version 16.7 or later. For versions prior to 15.11, update to version 15.11 or later. For versions prior to 14.16, update to version 14.16 or later. For versions prior to 13.19, update to version 13.19 or later. As a temporary workaround, consider restricting access to the `psql` tool and limiting the use of the vulnerable libpq functions until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Lorex 2K Indoor Wi-Fi Security Camera versions prior to 2.800.0000000.8.R.20241111 **Description** An attacker who can execute arbitrary Operating Systems commands can bypass code signing enforcements in the kernel and execute arbitrary native code. The issue allows manipulation that leads to insufficient data authenticity verification. **Recommendations** For versions prior to 2.800.0000000.8.R.20241111, upgrade to version 2.800.0000000.8.R.20241111 or later to resolve the issue. As a temporary workaround, consider restricting access to the kernel to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Lorex 2K Indoor Wi-Fi Security Camera versions prior to 2.800.0000000.8.R.20241111 Description: An unauthenticated attacker can perform an out of bounds heap read in the IQ Service (TCP port 9876). This issue is related to a buffer overflow in the IQ service's memory, which can allow a remote attacker to elevate their privileges to the root level and gain full access to the device. The exploitation occurs through a TCP connection on port 9876. Recommendations: For versions prior to 2.800.0000000.8.R.20241111, update the firmware to version 2.800.0000000.8.R.20241111 to resolve the issue. As a temporary workaround, consider restricting access to the IQ Service on TCP port 9876 until the firmware update is applied.

Name of the Vulnerable Software and Affected Versions: Lorex 2K Indoor Wi-Fi Security Camera versions prior to 2.800.0000000.8.R.20241111 Description: An unauthenticated attacker can perform a null pointer dereference in the `DHIP Service` using the UDP port `37810`. This issue can potentially allow a remote attacker to elevate privileges to the root level and gain full access to the device. Recommendations: For versions prior to 2.800.0000000.8.R.20241111, update the firmware to version 2.800.0000000.8.R.20241111 to resolve the issue. As a temporary workaround, consider restricting access to the `DHIP Service` on UDP port `37810` until the update is applied.

Name of the Vulnerable Software and Affected Versions: Lorex 2K Indoor Wi-Fi Security Camera versions prior to 2.800.0000000.8.R.20241111 Description: An authenticated attacker can trigger a stack-based buffer overflow in the DHIP Service (TCP port 80). This issue allows a remote attacker to potentially execute arbitrary code. The vulnerability is related to the DHIP service and can be exploited through a connection on TCP port 80. Recommendations: For versions prior to 2.800.0000000.8.R.20241111, update the firmware to version 2.800.0000000.8.R.20241111 to resolve the issue. As a temporary workaround, consider restricting access to the DHIP service on TCP port 80 until the update is applied.

Name of the Vulnerable Software and Affected Versions: Lorex 2K Indoor Wi-Fi Security Camera versions prior to 2.800.0000000.8.R.20241111 Description: An unauthenticated attacker can trigger a stack-based buffer overflow in the DP Service (TCP port 3500). This issue can potentially allow a remote attacker to elevate their privileges to the root level and gain full access to the device. The vulnerability is related to a buffer overflow in the memory, which can be exploited by an attacker to gain control. Recommendations: For versions prior to 2.800.0000000.8.R.20241111, update the firmware to version 2.800.0000000.8.R.20241111 to resolve the issue. As a temporary workaround, consider restricting access to the DP Service on TCP port 3500 to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** QTS versions prior to 5.1.5.2645 build 20240116 QuTS hero versions prior to h5.1.5.2647 build 20240118 QuTScloud versions prior to c5.1.5.2651 **Description** An OS command injection vulnerability exists in QNAP operating system versions due to the lack of neutralization of special elements used in the operating system command. This vulnerability could allow a remote attacker to execute arbitrary commands via a network. The issue is related to the quick.cgi file, which is used to configure uninitialized systems. There have been attempts to exploit this vulnerability, with code execution attempts targeting the '/cgi-bin/quick/quick.cgi' endpoint. **Recommendations** For QTS versions prior to 5.1.5.2645 build 20240116, update to QTS 5.1.5.2645 build 20240116 or later. For QuTS hero versions prior to h5.1.5.2647 build 20240118, update to QuTS hero h5.1.5.2647 build 20240118 or later. For QuTScloud versions prior to c5.1.5.2651, update to QuTScloud c5.1.5.2651 or later. As a temporary workaround, consider restricting access to the vulnerable quick.cgi file until a patch is applied. To mitigate the risk, upgrade the firmware through the Control Panel > System > Firmware Update.

**Name of the Vulnerable Software and Affected Versions** Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers (affected versions not specified) **Description** The issue allows an attacker to execute arbitrary code, elevate privileges, execute arbitrary commands, bypass authentication and authorization protections, fetch and run unsigned software, or cause denial of service (DoS). This is caused by a buffer overflow in the firmware loading module of the affected routers. Exploitation can occur through sending a specially crafted HTTP request. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Small Business RV Series Routers versions RV160, RV160W, RV260, RV260P, RV260W, RV340, RV340W, RV345, RV345P **Description** The issue is related to a stack-based buffer overflow vulnerability and insufficient authorization in the web interface of the affected routers. This could allow a remote attacker to elevate privileges to the level of root, execute arbitrary code, elevate privileges, execute arbitrary commands, bypass authentication and authorization protections, fetch and run unsigned software, or cause denial of service (DoS). **Recommendations** For RV160, RV160W, RV260, RV260P, RV260W, RV340, RV340W, RV345, RV345P, update the firmware to a version that addresses the vulnerabilities. As a temporary workaround, consider restricting access to the web interface of the affected routers until a patch is available. Restrict access to the vulnerable `web interface` to minimize the risk of exploitation. Avoid using unsigned software on the affected routers until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Small Business RV340 versions le1.0.03.24 and earlier Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers (affected versions not specified) **Description** The vulnerability exists due to the lack of measures to neutralize special elements used in the operating system command. Exploitation of the vulnerability may allow a remote attacker to execute arbitrary commands using a specially crafted request. The issue could also allow an attacker to execute arbitrary code, elevate privileges, bypass authentication and authorization protections, fetch and run unsigned software, or cause denial of service (DoS). **Recommendations** For Cisco Small Business RV340 version le1.0.03.24 and earlier, update to a version later than le1.0.03.24 to resolve the issue. For Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NETGEAR R6400 versions prior to the fixed version NETGEAR R6400v2 versions prior to the fixed version NETGEAR R6700v3 version 1.0.4.120 10.0.91 NETGEAR R6900P versions prior to the fixed version NETGEAR R7000 versions prior to the fixed version NETGEAR R7000P versions prior to the fixed version NETGEAR R8500 versions prior to the fixed version NETGEAR RS400 versions prior to the fixed version NETGEAR WNDR3400v3 versions prior to the fixed version NETGEAR WNR3500Lv2 versions prior to the fixed version NETGEAR XR300 versions prior to the fixed version NETGEAR D6220 versions prior to the fixed version NETGEAR D6400 versions prior to the fixed version NETGEAR D7000v2 versions prior to the fixed version NETGEAR R7100LG versions prior to the fixed version NETGEAR DC112A versions prior to the fixed version **Description** The issue is related to a buffer overflow due to the lack of validation of the length of user-supplied data when handling SOAP requests, specifically when parsing the `SOAPAction` header. This allows an attacker to execute arbitrary code in the context of root without requiring authentication. The vulnerability can be exploited by network-adjacent attackers. **Recommendations** For NETGEAR R6400, update to a version that fixes the vulnerability. For NETGEAR R6400v2, update to a version that fixes the vulnerability. For NETGEAR R6700v3 version 1.0.4.120 10.0.91, update to a version that fixes the vulnerability. For NETGEAR R6900P, update to a version that fixes the vulnerability. For NETGEAR R7000, update to a version that fixes the vulnerability. For NETGEAR R7000P, update to a version that fixes the vulnerability. For NETGEAR R8500, update to a version that fixes the vulnerability. For NETGEAR RS400, update to a version that fixes the vulnerability. For NETGEAR WNDR3400v3, update to a version that fixes the vulnerability. For NETGEAR WNR3500Lv2, update to a version that fixes the vulnerability. For NETGEAR XR300, update to a version that fixes the vulnerability. For NETGEAR D6220, update to a version that fixes the vulnerability. For NETGEAR D6400, update to a version that fixes the vulnerability. For NETGEAR D7000v2, update to a version that fixes the vulnerability. For NETGEAR R7100LG, update to a version that fixes the vulnerability. For NETGEAR DC112A, update to a version that fixes the vulnerability. As a temporary workaround, consider disabling the handling of SOAP requests until a patch is available. Restrict access to the vulnerable `upnpd` service to minimize the risk of exploitation. Avoid using the `SOAPAction` header in SOAP requests to the affected routers until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 66 **Description** The issue is related to the lack of protection for internal data in the browser, which can be exploited by a remote attacker to gain access to confidential information. In the context of Firefox, if a Sandbox content process is compromised, it can initiate an FTP download. The downloaded data can then be passed to the Chrome process with an arbitrary file length supplied by an attacker, bypassing sandbox protections and potentially allowing for a memory read of adjacent data from the privileged Chrome process, which may include sensitive data. **Recommendations** For versions prior to 66, update to version 66 or later to resolve the issue. As a temporary workaround, consider restricting access to FTP downloads in the Sandbox content process to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 58 **Description** The issue is related to memory safety bugs, including evidence of memory corruption, which could potentially be exploited to run arbitrary code. The vulnerability is also described as a buffer data boundary operation issue, allowing a remote attacker to execute arbitrary code. **Recommendations** For versions prior to 58, update to version 58 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive data and minimizing browser usage until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 55 Firefox ESR versions prior to 52.3 Thunderbird versions prior to 52.3 **Description** The issue is related to the destructor function for the WindowsDllDetourPatcher class, which can be exploited by malicious code to write arbitrary data to a controlled location in memory. This can bypass existing memory protections. The attack is limited to Windows operating systems. The vulnerability is associated with insufficient input validation in the destructor function of the WindowsDllDetourPatcher class in Firefox, Firefox ESR, and Thunderbird browsers, allowing a remote attacker to potentially elevate their privileges. **Recommendations** For Firefox versions prior to 55, update to version 55 or later. For Firefox ESR versions prior to 52.3, update to version 52.3 or later. For Thunderbird versions prior to 52.3, update to version 52.3 or later.

**Name of the Vulnerable Software and Affected Versions** Novell ZENworks Configuration Management (ZCM) versions prior to 10.3 **Description** A directory traversal issue exists in the UploadServlet of the Remote Management component. This allows remote attackers to execute arbitrary code by sending a crafted zenworks-fileupload request. The request must include a specific directory name in the `type` parameter, a WAR filename in the `filename` parameter, and WAR content in the POST data. **Recommendations** For versions prior to 10.3, update to version 10.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Microsoft Internet Explorer (affected versions not specified) **Description** The issue is related to incorrect access to objects in memory, which can cause a memory error and allow an attacker to execute arbitrary code in the context of the current user. This is a remote code execution issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Internet Explorer versions 9 through 10 **Description** The issue allows remote attackers to execute arbitrary code or cause a denial of service due to memory corruption via a crafted web site. This occurs because Internet Explorer improperly accesses objects in memory, potentially corrupting memory in a way that enables an attacker to execute arbitrary code in the context of the current user. **Recommendations** For Microsoft Internet Explorer versions 9 through 10, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Internet Explorer versions 9 through 10 **Description** The issue is related to a use-after-free vulnerability that allows remote attackers to execute arbitrary code via a crafted web site, triggering access to a deleted object. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. **Recommendations** For Microsoft Internet Explorer versions 9 and 10, at the moment, there is no information about a newer version that contains a fix for this vulnerability.