VARIoT IoT vulnerabilities database

A vulnerability was found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. Affected by this vulnerability is the function setDeviceName of the file /goform/setDeviceName. The manipulation of the argument DeviceName leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Linksys of RE6250 Firmware and other products from multiple vendors have command injection vulnerabilities, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

A vulnerability has been found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. Affected is the function algDisable of the file /goform/setOpMode. The manipulation of the argument opMode leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Linksys of RE6250 Firmware and other products from multiple vendors contain buffer error vulnerabilities and stack-based buffer overflow vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

A vulnerability was identified in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. This issue affects the function RP_setBasic of the file /goform/RP_setBasic. The manipulation of the argument bssid leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Linksys of RE6250 Firmware and other products from multiple vendors have command injection vulnerabilities, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

A vulnerability was determined in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. This vulnerability affects the function wirelessBasic of the file /goform/wirelessBasic. The manipulation of the argument submit_SSID1 leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Linksys of RE6250 Firmware and other products from multiple vendors contain buffer error vulnerabilities and stack-based buffer overflow vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

The MOXA ioLogik E1213 is an industrial-grade remote Ethernet I/O module. The MOXA ioLogik E1213 has an unauthorized access vulnerability that could allow attackers to obtain sensitive information.

A vulnerability was found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. This affects the function setWan of the file /goform/setWan. The manipulation of the argument staticIp leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Linksys of RE6250 Firmware and other products from multiple vendors contain buffer error vulnerabilities and stack-based buffer overflow vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

A vulnerability has been found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. Affected by this issue is the function setDFSSetting of the file /goform/setLan. The manipulation of the argument lanNetmask/lanIp leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Linksys of RE6250 Firmware and other products from multiple vendors have command injection vulnerabilities, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

A vulnerability was identified in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. Affected by this vulnerability is the function setLan of the file /goform/setLan. The manipulation of the argument lan2enabled leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Linksys of RE6250 Firmware and other products from multiple vendors contain buffer error vulnerabilities and stack-based buffer overflow vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

A vulnerability was determined in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. Affected is the function setOpMode of the file /goform/setOpMode. The manipulation of the argument ethConv leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Linksys of RE6250 Firmware and other products from multiple vendors contain buffer error vulnerabilities and stack-based buffer overflow vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

The H3C BR3000W is a WiFi 6 dual-band Gigabit wireless router designed for home and enterprise scenarios. The H3C BR3000W has an information leakage vulnerability that could allow an attacker to obtain sensitive information.

The ioLogik E1210-T is an industrial Ethernet module. The ioLogik E1210-T from Mosa Technology (Shanghai) Co., Ltd. has an unauthorized access vulnerability that could allow attackers to obtain sensitive information.

A vulnerability was found in Belkin F9K1009 and F9K1010 2.00.04/2.00.09 and classified as critical. Affected by this issue is some unknown functionality of the component Web Interface. The manipulation leads to hard-coded credentials. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. The Belkin F9K1009 and Belkin F9K1010 are both wireless routers manufactured by Belkin, a Canadian company. The Belkin F9K1009 and Belkin F9K1010 have a hardcoded credential vulnerability that could allow an attacker to gain access to the devices

EnzoH has an OS command injection vulnerability. Successful exploitation of this vulnerability may lead to arbitrary command execution. Huawei EnzoH is a wireless access device from Huawei, a Chinese company

EnzoH has an OS command injection vulnerability. Successful exploitation of this vulnerability may lead to arbitrary command execution. Huawei EnzoH is a wireless access device from Huawei, a Chinese company

EnzoH has an OS command injection vulnerability. Successful exploitation of this vulnerability may lead to arbitrary command execution. Huawei is a leading global provider of ICT (information and communications technology) infrastructure and intelligent devices. Founded in 1987 and headquartered in Shenzhen, Guangdong Province, China, Huawei's business covers over 170 countries and regions, serving over 3 billion people worldwide. This vulnerability is caused by setting certain variables directly after getting them without validating them. Detailed vulnerability details are not available at this time

ZTE Corporation is a leading global provider of integrated communications and information technology solutions. ZTE's C300 mobile phone has a weak password vulnerability that could allow attackers to log in to Telnet.

Tigo Energy's CCA is vulnerable to a command injection vulnerability in the /cgi-bin/mobile_api endpoint when the DEVICE_PING command is called, allowing remote code execution due to improper handling of user input. When used with default credentials, this enables attackers to execute arbitrary commands on the device that could cause potential unauthorized access, service disruption, and data exposure. Tigo Energy Cloud Connect Advanced is a compact data logger from the US company Tigo Energy. This vulnerability could allow an attacker to execute arbitrary commands on the system

The web interface of multiple D-Link routers, including DIR-600 rev B (≤2.14b01) and DIR-300 rev B (≤2.13), contains an unauthenticated OS command injection vulnerability in command.php, which improperly handles the cmd POST parameter. A remote attacker can exploit this flaw without authentication to spawn a Telnet service on a specified port, enabling persistent interactive shell access as root. D-Link Corporation of DIR-600 firmware and DIR-300 The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The D-Link DIR-600 is a wireless router from D-Link, a Chinese company. An attacker could exploit this vulnerability to cause command injection

DIAView (v4.2.0 and prior) - Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Delta Electronics DIAView. Authentication is not required to exploit this vulnerability.The specific flaw exists within the web service, which listens on TCP port 80 by default. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the service account. Delta Electronics DIAView is industrial configuration software from Delta Electronics, a Chinese company. This vulnerability stems from a lack of path validity checks when processing directory requests

Kenwood DMX958XR ReadMVGImage Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ReadMVGImage function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26313. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood