Ta-Lun Yen

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined (affected versions not specified) **Description** The device encrypts data using AES-CBC (Advanced Encryption Standard in Cipher Block Chaining mode) with static zero-filled Initialization Vectors (IVs). This implementation allows for known-plaintext decryption and replay attacks, where an attacker captures and re-transmits valid data packets to deceive the system. The issue is exploitable over the network without requiring authentication. **Recommendations** Replace the static zero-filled IVs with random IVs for every encryption operation.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined (affected versions not specified) **Description** Incoming VPN network profile settings do not safely process special characters, which allows for command injection through the use of malicious configuration files. Command injection is a technique where an attacker executes arbitrary operating system commands on the server by exploiting insufficient input validation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined (affected versions not specified) **Description** The system Binder boundary accepts unverified pass-through AT commands. This allows local applications to read baseband files or disable cellular connectivity. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined (affected versions not specified) **Description** Broadcast events allow malicious software to rewrite the device's default Mobile Device Management (MDM) endpoint address, which shifts administrative ownership to an external attacker. MDM is a technology used by IT departments to monitor, manage, and secure employees' mobile devices. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Crucial management API endpoints for cellular eSIM allocation do not validate caller authorization, allowing remote profiles to be rewritten or deleted.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined (affected versions not specified) **Description** System log files output unencrypted SMTP server authentication passwords and sensitive employee corporate identification data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

The summary service endpoint suffers from an IDOR vulnerability where it fails to verify user ownership of hardware serial numbers, exposing device data to scraping.

Internal multimedia session archives are accessible without authentication, exacerbated by loose Cross-Origin Resource Sharing (CORS) rules that allow cross-site theft.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined (affected versions not specified) **Description** High-risk `TrustAllCerts` routines disable standard TLS certificate validation. When combined with hard-coded DES symmetric encryption keys, a Man-in-the-Middle (MITM) actor—an attacker who secretly relays and possibly alters the communications between two parties—could decrypt network traffic. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

The system fails to evaluate instructional permissions over multiple internal operation codes (opcodes), permitting unauthorized application installations or command executions.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined (affected versions not specified) **Description** The local MQTT broker fails to enforce topic-level Access Control Lists (ACLs), which are rules that define which clients can access specific topics. This allows any client to use wildcard characters (`#` or `+`) to enumerate hidden network devices or publish unauthorized control commands. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Overly permissive configuration settings on cloud storage containers expose active telemetry information publicly to the internet.

**Name of the Vulnerable Software and Affected Versions** ai cmd (affected versions not specified) **Description** The `ai cmd` utility executes with full root permissions and pipes socket inputs directly to the `popen()` function. This allows unauthenticated users to execute arbitrary commands with root privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined (affected versions not specified) **Description** Leftover debug modules contain fixed credentials for internal AWS Cognito test sandboxes, which may lead to asset exploitation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FieldX MDM (affected versions not specified) **Description** The adb messaging topic passes unverified payloads directly into the `Runtime.exec()` function, which enables command or instruction injection. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined (affected versions not specified) **Description** Unchecked public access permissions on a core Broadcast Receiver allow unauthorized local software components to invoke administrative operations. A Broadcast Receiver is a component that allows an application to receive and respond to system-wide broadcast announcements. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined (affected versions not specified) **Description** Hard-coded APK resource files do not expire, and the use of a shared scepter results in information leaks and potential misuse. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

The debugging routine SCREEN CLICK(5053) enables a connection to skip the standard device login prompt entirely and directly enter an interactive shell interface.

The production build of the M3WebServer hard-codes its backend API keys, which can be easily intercepted through verbose error handling pages.

**Name of the Vulnerable Software and Affected Versions** Acer Connect M6E 5G Portable WiFi Router (affected versions not specified) **Description** Engineering diagnostics and factory-level diagnostic software are exposed on retail builds. This allows malicious applications to obtain write privileges to internal NVRAM registers, which are non-volatile memory used to store system configuration settings. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.