Todb

**Name of the Vulnerable Software and Affected Versions** Yarbo firmware version 2.3.9 **Description** The embedded MQTT broker is configured to permit anonymous connections and lacks topic-level read or write Access Control Lists (ACLs). This allows any host on the same network to subscribe to sensitive telemetry topics or publish control messages directly to the robot without authentication or authorization. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Yarbo firmware version 2.3.9 **Description** The firmware contains hardcoded administrative credentials embedded in the image. These credentials are identical across all devices and cannot be modified or removed by end users, allowing unauthorized access to device management interfaces. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Yarbo version 2.3.9 **Description** A hidden, persistent backdoor provides remote, unauthenticated or weakly authenticated access to privileged functionality. This backdoor is undocumented, cannot be disabled through user-facing settings, and persists after factory resets and standard firmware updates. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ghidra versions prior to 12.0.3 **Description** The software improperly processes annotation directives embedded in automatically extracted binary data, leading to arbitrary command execution when a user interacts with the user interface. The `@execute` annotation, designed for trusted, user-authored comments, is also parsed in comments generated during auto-analysis, such as CFStrings in Mach-O binaries. This allows a crafted binary to present clickable text that, when clicked, executes attacker-controlled commands on the analyst’s machine. **Recommendations** Upgrade to a version prior to 12.0.3.

**Name of the Vulnerable Software and Affected Versions** Unitree Go2 and other models versions (affected versions not specified) **Description** The encryption algorithm used to protect firmware updates is encrypted using key material accessible to attackers. This allows unauthorized modification of firmware updates, which can then be trusted by Unitree products. The issue affects the firmware generation and extraction processes. Currently, there is no publicly documented method to bypass the update process and inject malicious firmware packages without the owner's knowledge. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** HexStrike AI MCP Server versions prior to commit 2f3a5512 **Description** The HexStrike AI MCP Server is susceptible to a command injection issue. By supplying a command-line argument beginning with a semicolon (`;`) to an **API endpoint** created by the `EnhancedCommandExecutor` class, a composed command is directly executed with root privileges. The server does not sanitize these arguments in its default configuration. The `EnhancedCommandExecutor` class is the component responsible for processing commands. The `username` and `password` parameters are not explicitly mentioned as being involved in this issue. **Recommendations** Versions prior to commit 2f3a5512 should be updated to a version containing the fix. As a temporary workaround, consider disabling the `EnhancedCommandExecutor` class or restricting access to the affected **API endpoint** until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Unitree robotic products (Go2, G1, H1, and B2 devices) **Description** Multiple Unitree robotic products sharing a common firmware contain a command injection issue. An attacker can inject a malicious string during WiFi configuration via a BLE module, and then trigger a restart of the WiFi service. This allows the attacker to execute commands as root through the `wpa supplicant restart.sh` shell script. The vulnerability affects devices using firmware derived from the MIT Cheetah codebase, including the G1 (humanoid) and Go2 (quadruped) branches. **Recommendations** Unitree Go2 robots: Consider temporarily disabling the bluetooth protocol as a mitigation measure. Unitree G1 robots: Consider temporarily disabling the bluetooth protocol as a mitigation measure. Unitree H1 robots: Consider temporarily disabling the bluetooth protocol as a mitigation measure. Unitree B2 robots: Consider temporarily disabling the bluetooth protocol as a mitigation measure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Quantenna Wi-Fi chipset versions through 8.0.0.28 **Description** The issue concerns an unauthenticated telnet interface that ships by default with the Quantenna Wi-Fi chips, classified as CWE-306, "Missing Authentication for Critical Function." The vendor has released a best practices guide for implementors of this chipset, but the issue remains unpatched at the time of initial reporting. **Recommendations** For versions through 8.0.0.28, consider disabling the telnet interface as a temporary workaround until a patch is available. Restrict access to the telnet interface to minimize the risk of exploitation. Follow the vendor's best practices guide for implementors of the Quantenna Wi-Fi chipset to reduce the risk associated with this issue.

**Name of the Vulnerable Software and Affected Versions** UnitreeRobotics Zhexi/Oray (affected versions not specified) **Description** The issue concerns an undocumented backdoor in the robotic device. This backdoor allows the manufacturer and anyone with the correct API key to gain complete remote control over the device using the CloudSail remote access service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microhard BulletLTE-NA2 and IPn4Gii-NA2 (affected versions not specified) **Description** The issue is related to a post-authentication command injection problem in the `AT+MFMAC` command, which can lead to privilege escalation. This is an instance of improper neutralization of argument delimiters in a command. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microhard products that incorporate the BulletLTE-NA2 and IPn4Gii-NA2 (affected versions not specified) **Description** The issue is related to a post-authentication command injection problem in the `AT+MFRULE` command, which can lead to privilege escalation. This is an instance of improper neutralization of argument delimiters in a command. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microhard products that incorporate the BulletLTE-NA2 and IPn4Gii-NA2 (affected versions not specified) **Description** The issue is related to a post-authentication command injection problem in the `AT+MMNAME` command, which can lead to privilege escalation. This is an instance of improper neutralization of argument delimiters in a command. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microhard BulletLTE-NA2 and IPn4Gii-NA2 (affected versions not specified) **Description** The issue is a post-authentication command injection problem in the `AT+MNNETSP` command, which can lead to privilege escalation. This is an instance of improper neutralization of argument delimiters in a command, also known as argument injection. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microhard BulletLTE-NA2 and IPn4Gii-NA2 (affected versions not specified) **Description** The issue is related to a post-authentication command injection in the `AT+MNPINGTM` command, which can lead to privilege escalation. This is an instance of improper neutralization of argument delimiters in a command. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microhard products that incorporate the BulletLTE-NA2 and IPn4Gii-NA2 (affected versions not specified) **Description** The issue is related to a post-authentication command injection problem in the `AT+MFPORTFWD` command, which can lead to privilege escalation. This is an instance of improper neutralization of argument delimiters in a command. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Quantenna Wi-Fi chipset versions prior to 8.0.0.29 **Description** The Quantenna Wi-Fi chipset contains a local control script, `router command.sh`, that is vulnerable to command injection, specifically an instance of improper neutralization of argument delimiters in a command. This issue is estimated to have a significant impact. The vendor has released a best practices guide for implementors of this chipset. **Recommendations** For versions prior to 8.0.0.29, consider disabling the `router command.sh` script until a patch is available. Restrict access to the `run cmd` argument to minimize the risk of exploitation. Implement the best practices guide provided by the vendor to reduce the risk of command injection attacks.

**Name of the Vulnerable Software and Affected Versions** Quantenna Wi-Fi chipset versions prior to 8.0.0.28 **Description** The Quantenna Wi-Fi chipset contains a local control script, `router command.sh`, that is vulnerable to command injection. This issue is an instance of improper neutralization of argument delimiters in a command. The vendor has released a best practices guide for implementors of this chipset. **Recommendations** For versions prior to 8.0.0.28, consider disabling the `router command.sh` script until a patch is available. Restrict access to the `put file to qtn` argument to minimize the risk of exploitation. Follow the vendor's best practices guide for implementors of this chipset to reduce the risk of command injection attacks.

**Name of the Vulnerable Software and Affected Versions** Quantenna Wi-Fi chipset versions through 8.0.0.28 **Description** The Quantenna Wi-Fi chipset has a local control script, `router command.sh`, that is vulnerable to command injection, specifically in the `get file from qtn` argument. This issue is an instance of improper neutralization of argument delimiters in a command. The vendor has released a best practices guide for implementors of this chipset. **Recommendations** For versions through 8.0.0.28, consider disabling the `router command.sh` script or restricting its use until a patch is available. Implement the best practices guide provided by the vendor to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Quantenna Wi-Fi chipset versions through 8.0.0.28 **Description** The Quantenna Wi-Fi chipset has a local control script, `router command.sh`, that is vulnerable to command injection, specifically in the `get syslog from qtn` argument. This issue is related to improper neutralization of argument delimiters in a command. The vendor has released a best practices guide for implementors of this chipset. **Recommendations** For versions through 8.0.0.28, consider disabling the `router command.sh` script or restricting its use until a patch is available. Implement the best practices guide provided by the vendor to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Quantenna Wi-Fi chipset versions prior to 8.0.0.28 **Description** The Quantenna Wi-Fi chipset has a local control script, `router command.sh`, that is vulnerable to command injection, specifically in the `sync time` argument. This issue is an instance of improper neutralization of argument delimiters in a command. The vendor has released a best practices guide for implementors of this chipset. **Recommendations** For versions prior to 8.0.0.28, as a temporary workaround, consider disabling the `router command.sh` script or restricting access to the `sync time` argument until a patch is available. Implement the best practices guide provided by the vendor to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.