Yu-Chieh Kuo

**Name of the Vulnerable Software and Affected Versions** IAQS and I6 (affected versions not specified) **Description** A security flaw exists in IAQS and I6 developed by JNC, allowing unauthenticated remote attackers to obtain administrator privileges. This is due to a client-side enforcement of server-side security issue, where manipulation of the web front-end can lead to unauthorized access. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IAQS and I6 (affected versions not specified) **Description** A missing authentication issue exists in IAQS and I6 developed by JNC. This allows unauthenticated remote attackers to directly operate system administrative functionalities. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Merit LILIN IP Camera models (affected versions not specified) **Description** Certain IP Camera models developed by Merit LILIN are susceptible to an OS Command Injection issue. Authenticated remote attackers can exploit this to inject and execute arbitrary OS commands on the device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Merit LILIN DVR/NVR models (affected versions not specified) Merit Lilin DH032 (affected versions not specified) **Description** An authenticated remote attacker can inject arbitrary OS commands on Merit LILIN DVR/NVR devices and execute them. This is due to an OS Command Injection issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QNO Technology VPN Firewall (affected versions not specified) **Description** The VPN Firewall developed by QNO Technology contains an OS Command Injection issue. Authenticated remote attackers can inject arbitrary OS commands and execute them on the server. The vulnerability allows for the execution of commands on the server through injection. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QNO Technology VPN Firewall (affected versions not specified) **Description** An OS Command Injection issue exists in QNO Technology VPN Firewall, potentially allowing authenticated remote attackers to inject and execute arbitrary OS commands on the server. The issue allows for the injection of commands through an unspecified mechanism. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QNO Technology VPN Firewall (affected versions not specified) **Description** The VPN Firewall developed by QNO Technology contains an insufficient entropy issue. This allows unauthenticated remote attackers to obtain any logged-in user session through brute-force attacks and subsequently log into the system. The vulnerability allows attackers to gain access by guessing session identifiers. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** N-Reporter (affected versions not specified) N-Cloud (affected versions not specified) N-Probe (affected versions not specified) **Description** The N-Reporter, N-Cloud, and N-Probe developed by N-Partner are susceptible to an OS Command Injection issue. Authenticated remote attackers can inject arbitrary OS commands and execute them on the server. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Digiever NVR (affected versions not specified) Description: Digiever NVR devices are susceptible to a sensitive information exposure issue. Unauthenticated remote attackers can access the system configuration file and obtain plaintext credentials for the NVR and connected cameras. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Digiever NVR (affected versions not specified) **Description** Certain models of NVR developed by Digiever have an OS Command Injection vulnerability. This allows remote attackers to inject arbitrary OS commands and execute them on the device. Some reports indicate the vulnerability may be exploitable by unauthenticated attackers, while others state it requires authentication. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Planet Technology Industrial Cellular Gateway (affected versions not specified) **Description** Certain models of Industrial Cellular Gateway developed by Planet Technology are susceptible to a missing authentication issue. This allows unauthenticated remote attackers to manipulate the device through a specific functionality. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Hunt Electronic DVR models HBF-09KD and HBF-16NK Description: The issue allows remote attackers with regular privileges to inject arbitrary OS commands and execute them on the device. This is due to an OS Command Injection vulnerability. Recommendations: For HBF-09KD and HBF-16NK models, consider restricting access to the device until a patch is available. As a temporary workaround, limit the privileges of remote users to minimize the risk of exploitation. Avoid using the device for critical operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Hunt Electronic Hybrid DVR models (HBF-09KD and HBF-16NK) Description: The issue allows unauthenticated remote attackers to directly access a system configuration file and obtain plaintext administrator credentials. This is an Exposure of Sensitive Information vulnerability. Recommendations: For HBF-09KD and HBF-16NK models, consider restricting access to the system configuration file until a patch is available. As a temporary workaround, avoid using plaintext administrator credentials in the affected system until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Sapido BR071n version All Sapido BR261c version All Sapido BR270n version All Sapido BR476n version All Sapido BRC70n version All Sapido BRC70x version All Sapido BRC76n version All Sapido BRD70n version All Sapido BRE70n version All Sapido BRE71n version All Sapido BRF61c version All Sapido BRF71n version All Description: The issue is an OS Command Injection, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server. This is due to the improper neutralization of special elements used in an OS command. Recommendations: Replace the device with a supported model, as the affected models are out of support. For all affected models, consider disabling any remote access features until replacement. Restrict access to the device to minimize the risk of exploitation. Avoid using the device for critical operations until it is replaced. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Sapido Wireless Router (affected versions not specified) Description: The issue allows unauthenticated remote attackers to directly access a system configuration file and obtain plaintext administrator credentials. The affected models are out of support. Recommendations: Replace the device with a supported model to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Okcat Parking Management Platform (affected versions not specified) **Description** The web management interface of the Okcat Parking Management Platform has an Arbitrary File Upload issue, allowing unauthenticated remote attackers to upload and execute web shell backdoors, enabling arbitrary code execution on the server. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZONG YU Parking Management System (affected versions not specified) **Description** The Parking Management System from ZONG YU has a Missing Authentication issue, allowing unauthenticated remote attackers to access specific APIs and operate system functions, including opening gates and restarting the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Okcat Parking Management Platform (affected versions not specified) **Description** The web management interface of the Okcat Parking Management Platform has a Missing Authentication issue, allowing unauthenticated remote attackers to directly access system functions. These functions include opening gates, viewing license plates and parking records, and restarting the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SECOM WRTR-304GN-304TW-UPSC (affected versions not specified) **Description** The issue is related to improper filtering of user input in a specific functionality, allowing unauthenticated remote attackers to inject and execute arbitrary system commands on the device. This can be exploited by attackers to gain unauthorized access and control over the device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GeoVision devices (affected versions not specified) **Description** The issue exists due to the failure to properly filter user input for specific functionality, allowing unauthenticated remote attackers to inject and execute arbitrary system commands on the device. This vulnerability is being actively exploited. The estimated number of potentially affected devices worldwide is not provided. Real-world incidents where this issue was exploited include attacks by the Mirai botnet on GeoVision IoT devices. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.