VARIoT IoT vulnerabilities database
| VAR-202502-2174 | CVE-2024-51138 | plural DrayTek Corporation Stack-based buffer overflow vulnerability in products |
CVSS V2: - CVSS V3: 9.8 Severity: CRITICAL |
Vigor165/166 4.2.7 and earlier; Vigor2620/LTE200 3.9.8.9 and earlier; Vigor2860/2925 3.9.8 and earlier; Vigor2862/2926 3.9.9.5 and earlier; Vigor2133/2762/2832 3.9.9 and earlier; Vigor2135/2765/2766 4.4.5. and earlier; Vigor2865/2866/2927 4.4.5.3 and earlier; Vigor2962 4.3.2.8 and earlier; Vigor3912 4.3.6.1 and earlier; Vigor3910 4.4.3.1 and earlier a stack-based buffer overflow vulnerability has been identified in the URL parsing functionality of the TR069 STUN server. This flaw occurs due to insufficient bounds checking on the amount of URL parameters, allowing an attacker to exploit the overflow by sending a maliciously crafted request. Consequently, a remote attacker can execute arbitrary code with elevated privileges. vigor3912 firmware, vigor2620 firmware, vigorlte200 firmware etc. DrayTek Corporation The product contains a stack-based buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
| VAR-202502-2583 | CVE-2024-41340 | plural DrayTek Corporation Unrestricted Upload of Dangerous File Types Vulnerability in Products |
CVSS V2: - CVSS V3: 8.4 Severity: HIGH |
An issue in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 allows attackers to upload crafted APP Enforcement modules, leading to arbitrary code execution. vigor165 firmware, vigor166 firmware, vigor2620 firmware etc. DrayTek Corporation The product contains an unrestricted file upload vulnerability of a dangerous type.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
| VAR-202502-3343 | CVE-2024-41339 | plural DrayTek Corporation Unrestricted Upload of Dangerous File Types Vulnerability in Products |
CVSS V2: - CVSS V3: 8.8 Severity: HIGH |
An issue in the CGI endpoint used to upload configurations in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 allows attackers to upload a crafted kernel module, allowing for arbitrary code execution. vigor165 firmware, vigor166 firmware, vigor2620 firmware etc. DrayTek Corporation The product contains an unrestricted file upload vulnerability of a dangerous type.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
| VAR-202502-3730 | CVE-2024-41338 | plural DrayTek Corporation In the product NULL Pointer dereference vulnerability |
CVSS V2: - CVSS V3: 7.5 Severity: HIGH |
A NULL pointer dereference in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 allows attackers to cause a Denial of Service (DoS) via a crafted DHCP request. vigor165 firmware, vigor166 firmware, vigor2620 firmware etc. DrayTek Corporation The product has NULL There is a vulnerability in pointer dereference.Service operation interruption (DoS) It may be in a state
| VAR-202502-2792 | CVE-2024-41334 | plural DrayTek Corporation Vulnerability related to certificate validation in products |
CVSS V2: - CVSS V3: 8.8 Severity: HIGH |
Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 were discovered to not utilize certificate verification, allowing attackers to upload crafted APPE modules from non-official servers, leading to arbitrary code execution. vigor166 firmware, vigor2620 firmware, vigorlte200 firmware etc. DrayTek Corporation The product contains a certificate validation vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
| VAR-202502-3792 | No CVE | Beijing Xingwang Ruijie Network Technology Co., Ltd. RG-UAC-6000-E20 has a command execution vulnerability |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Beijing Xingwang Ruijie Network Technology Co., Ltd. is a provider of ICT infrastructure and industry solutions. Its main business is the research, design and sales of network equipment, network security products and cloud desktop solutions.
Beijing Xingwang Ruijie Network Technology Co., Ltd. RG-UAC-6000-E20 has a command execution vulnerability, which can be exploited by attackers to execute arbitrary commands.
| VAR-202502-3800 | No CVE | Toshiba Corporation. STUDIO3008A has an unauthorized access vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Toshiba Corporation. STUDIO3008A is a network printer.
Toshiba Corporation. STUDIO3008A has an unauthorized access vulnerability that can be exploited by attackers to obtain sensitive information.
| VAR-202502-3808 | No CVE | Sony Group Corporation SNC-RZ50N has weak password vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
SNC-RZ50N is a network camera with day and night switching function.
Sony Group Corporation SNC-RZ50N has a weak password vulnerability, which can be exploited by attackers to obtain sensitive information.
| VAR-202502-3809 | No CVE | SAMSUNG X6300 has unauthorized access vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
SAMSUNG X6300 is a camera product.
SAMSUNG X6300 has an unauthorized access vulnerability, which can be exploited by attackers to obtain sensitive information.
| VAR-202502-3781 | No CVE | SAMSUNG X6250 has unauthorized access vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
SAMSUNG X6250 is an all-in-one computer.
SAMSUNG X6250 has an unauthorized access vulnerability that can be exploited by attackers to obtain sensitive information.
| VAR-202502-3799 | No CVE | KONICA MINOLTA, INC. bizhub C258 has weak password vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
bizhub C258 is a color multifunction printer.
KONICA MINOLTA, INC. bizhub C258 has a weak password vulnerability that can be exploited by attackers to obtain sensitive information.
| VAR-202502-2329 | CVE-2025-22881 | Delta Electronics CNCSoft-G2 Buffer Overflow Vulnerability (CNVD-2025-12364) |
CVSS V2: 7.2 CVSS V3: 7.8 Severity: HIGH |
Delta Electronics CNCSoft-G2 lacks proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. If a target visits a malicious page or opens a malicious file an attacker can leverage this vulnerability to execute code in the context of the current process. Delta Electronics CNCSoft-G2 is a human-machine interface (HMI) software from Delta Electronics, a Chinese company
| VAR-202502-3815 | No CVE | TOTOlink A3002R of Jiong Electronics (Shenzhen) Co., Ltd. has a denial of service vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Jiong Electronics (Shenzhen) Co., Ltd. is a high-tech foreign-invested enterprise specializing in the research and development, design, manufacturing and sales of various network products.
Jiong Electronics (Shenzhen) Co., Ltd. TOTOlink A3002R has a denial of service vulnerability, which can be exploited by attackers to cause a denial of service.
| VAR-202502-2173 | CVE-2024-51539 | Dell's secure connect gateway In SQL Injection vulnerability |
CVSS V2: - CVSS V3: 2.3 Severity: LOW |
The Dell Secure Connect Gateway (SCG) Application and Appliance, versions prior to 5.28, contains a SQL injection vulnerability due to improper neutralization of special elements used in an SQL command. This vulnerability can only be exploited locally on the affected system. A high-privilege attacker with access to the system could potentially exploit this vulnerability, leading to the disclosure of non-sensitive information that does not include any customer data. However, the information handled by the software will not be rewritten. Furthermore, the software will not stop. Furthermore, attacks that exploit this vulnerability will not affect other software
| VAR-202502-3807 | No CVE | NETGEAR-WN3000RP has a weak password vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
NETGEAR WN3000RP is a wireless access point with a frequency range of 2.4GHz.
NETGEAR WN3000RP has a weak password vulnerability that can be exploited by attackers to obtain sensitive information.
| VAR-202502-3797 | No CVE | Samsung C3010ND has weak password vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
C3010ND is a laser printer.
Samsung C3010ND has a weak password vulnerability, which can be exploited by attackers to obtain sensitive information.
| VAR-202502-3853 | No CVE | Samsung (China) Investment Co., Ltd. C563FW has a weak password vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Samsung (China) Investment Co., Ltd. is a company mainly engaged in investment activities, covering multiple fields, including sales and services of home appliances, electronic products, communication equipment, computer hardware and software, and auxiliary equipment.
Samsung (China) Investment Co., Ltd. C563FW has a weak password vulnerability, which can be exploited by attackers to obtain sensitive information.
| VAR-202502-3813 | No CVE | Sony SNC-RH164 has unauthorized access vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
SNC-RH164 is a network high-definition speed dome camera.
Sony SNC-RH164 has an unauthorized access vulnerability, which can be exploited by attackers to obtain sensitive information.
| VAR-202502-3790 | No CVE | Samsung C430W has weak password vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
C430W is a laser printer.
Samsung C430W has a weak password vulnerability, which can be exploited by attackers to obtain sensitive information.
| VAR-202502-1747 | CVE-2025-1618 | Vtiger of Vtiger CRM Multiple vulnerabilities in |
CVSS V2: 5.0 CVSS V3: 4.3 Severity: Medium |
A vulnerability has been found in vTiger CRM 6.4.0/6.5.0 and classified as problematic. This vulnerability affects unknown code of the file /modules/Mobile/index.php. The manipulation of the argument _operation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.0 is able to address this issue. It is recommended to upgrade the affected component. The exploitation methods for this vulnerability are publicly available and can be exploited. Also, some of the information handled by the software may be rewritten. Furthermore, the software will not stop. Furthermore, attacks exploiting this vulnerability may affect other software