VARIoT IoT vulnerabilities database
| VAR-202512-0388 | CVE-2024-53684 | Socomec DIRIS Digiware M-70 Cross-Site Request Forgery Vulnerability |
CVSS V2: 10.0 CVSS V3: 7.5 Severity: HIGH |
A cross-site request forgery (csrf) vulnerability exists in the WEBVIEW-M functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted HTTP request can lead to unauthorized access. An attacker can stage a malicious webpage to trigger this vulnerability. The Socomec DIRIS Digiware M-70 is a communication gateway device that serves as the access point for the DIRIS Digiware system, integrating 24VDC power supply and communication functions into a single unit. This vulnerability stems from the WEBVIEW-M function's inadequate verification of whether requests originate from trusted users. Detailed vulnerability information is currently unavailable
| VAR-202512-0003 | CVE-2024-48894 | Socomec DIRIS Digiware M-70 plaintext transmission vulnerability |
CVSS V2: 7.8 CVSS V3: 5.9 Severity: MEDIUM |
A cleartext transmission vulnerability exists in the WEBVIEW-M functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can sniff network traffic to trigger this vulnerability. The Socomec DIRIS Digiware M-70 is a communication gateway device that serves as the access point for the DIRIS Digiware system, integrating 24VDC power supply and communication functions into a single unit. Attackers could exploit this vulnerability to leak sensitive information
| VAR-202512-0004 | CVE-2024-48882 | Socomec DIRIS Digiware M-70 Denial-of-Service Vulnerability (CNVD-2025-30457) |
CVSS V2: 7.8 CVSS V3: 8.6 Severity: HIGH |
A denial of service vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability. The Socomec DIRIS Digiware M-70 is a communication gateway device that serves as the access point for the DIRIS Digiware system, integrating 24VDC power supply and communication functions into a single unit
| VAR-202511-2406 | CVE-2025-64656 | Microsoft Application Gateway privilege escalation vulnerability |
CVSS V2: 9.7 CVSS V3: 9.4 Severity: CRITICAL |
Out-of-bounds read in Application Gateway allows an unauthorized attacker to elevate privileges over a network. Microsoft Application Gateway is an application gateway developed by Microsoft Corporation
| VAR-202511-2817 | CVE-2025-63729 |
CVSS V2: - CVSS V3: 9.0 Severity: CRITICAL |
An issue was discovered in Syrotech SY-GPON-1110-WDONT SYRO_3.7L_3.1.02-240517 allowing attackers to exctract the SSL Private Key, CA Certificate, SSL Certificate, and Client Certificates in .pem format in firmware in etc folder.
| VAR-202511-2413 | CVE-2025-59372 | ASUS Router path traversal vulnerability (CNVD-2025-29937) |
CVSS V2: 6.1 CVSS V3: - Severity: Medium |
A path traversal vulnerability has been identified in certain router models. A remote, authenticated attacker could exploit this vulnerability to write files outside the intended directory, potentially affecting device integrity.
Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. ASUS Router is a router product and accompanying management application launched by ASUS, primarily used for wireless connectivity and management in home and enterprise networks
| VAR-202511-2374 | CVE-2025-59371 | ASUS Router authentication bypass vulnerability |
CVSS V2: 8.3 CVSS V3: - Severity: High |
An authentication bypass vulnerability has been identified in the IFTTT integration feature. A remote, authenticated attacker could leverage this vulnerability to potentially gain unauthorized access to the device. This vulnerability does not affect Wi-Fi 7 series models.
Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. ASUS Router is a router product and accompanying management application launched by ASUS, primarily used for wireless connectivity and management in home and enterprise networks
| VAR-202511-2421 | CVE-2025-59370 | ASUS Router command injection vulnerability |
CVSS V2: 8.3 CVSS V3: - Severity: High |
A command injection vulnerability has been identified in bwdpi. A remote, authenticated attacker could leverage this vulnerability to potentially execute arbitrary commands, leading to the device executing unintended instructions.
Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. ASUS Router is a router product and accompanying management application launched by ASUS, primarily used for wireless connectivity and management in home and enterprise networks
| VAR-202511-2401 | CVE-2025-59369 | ASUS Router SQL Injection Vulnerability |
CVSS V2: 6.1 CVSS V3: - Severity: Medium |
A SQL injection vulnerability has been identified in bwdpi. A remote, authenticated attacker could leverage this vulnerability to potentially execute arbitrary SQL queries, leading to unauthorized data access.
Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. ASUS Router is a router product and accompanying management application launched by ASUS, primarily used for wireless connectivity and management of home and enterprise networks. This vulnerability stems from the application's lack of validation for externally input SQL statements
| VAR-202511-2372 | CVE-2025-59368 | ASUS Router Integer Underflow Vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: Medium |
An integer underflow vulnerability has been identified in Aicloud. An authenticated attacker may trigger this vulnerability by sending a crafted request, potentially impacting the availability of the device.
Refer to the ' Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. ASUS Router is a router product and accompanying management application launched by ASUS, primarily used for wireless connectivity and management in home and enterprise networks.
ASUS Router contains an integer underflow vulnerability, which attackers could exploit to compromise device availability
| VAR-202511-2428 | CVE-2025-59366 | ASUS Router authentication bypass vulnerability (CNVD-2025-29936) |
CVSS V2: 10.0 CVSS V3: - Severity: Critical |
An authentication-bypass vulnerability exists in AiCloud. This vulnerability can be triggered by an unintended side effect of the Samba functionality, potentially leading to allow execution of specific functions without proper authorization.
Refer to the Security Update for ASUS Router Firmware section on the ASUS Security Advisory for more information. ASUS Router is a router product and accompanying management application launched by ASUS, primarily used for wireless connectivity and management in home and enterprise networks. Attackers could exploit this vulnerability to enable unauthorized function execution
| VAR-202511-2446 | CVE-2025-59365 | ASUS Router stack buffer overflow vulnerability |
CVSS V2: 6.1 CVSS V3: - Severity: Medium |
A stack buffer overflow vulnerability has been identified in certain router models. An authenticated attacker may trigger this vulnerability by sending a crafted request, potentially impacting the availability of the device.
Refer to the ' Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. ASUS Router is a router product and accompanying management application launched by ASUS, primarily used for wireless connectivity and management in home and enterprise networks. This vulnerability stems from a boundary error in the application when processing untrusted input
| VAR-202511-2373 | CVE-2025-12003 | ASUS Router path traversal vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: High |
A path traversal vulnerability has been identified in WebDAV, which may allow unauthenticated remote attackers to impact the integrity of the device.
Refer to the ' Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. ASUS Router is a router product and accompanying management application launched by ASUS, primarily used for wireless connectivity and management in home and enterprise networks
| VAR-202511-2274 | CVE-2025-13562 | D-Link Corporation of DIR-852 Injection Vulnerability in Firmware |
CVSS V2: 7.5 CVSS V3: 7.3 Severity: Medium |
A vulnerability was identified in D-Link DIR-852 1.00. This issue affects some unknown processing of the file /gena.cgi. Such manipulation of the argument service leads to command injection. The attack can be executed remotely. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer. (DoS) It may be in a state
| VAR-202511-2375 | CVE-2025-62626 | AMD CPU entropy handling vulnerability |
CVSS V2: 6.2 CVSS V3: - Severity: High |
Improper handling of insufficient entropy in the AMD CPUs could allow a local attacker to influence the values returned by the RDSEED instruction, potentially resulting in the consumption of insufficiently random values. AMD CPUs are a series of CPUs manufactured by AMD.
AMD CPUs have a vulnerability due to improper entropy handling; detailed vulnerability information is not currently available
| VAR-202511-2429 | CVE-2025-29934 | AMD CPUs have an unknown vulnerability. |
CVSS V2: 3.7 CVSS V3: 5.3 Severity: MEDIUM |
A bug within some AMD CPUs could allow a local admin-privileged attacker to run a SEV-SNP guest using stale TLB entries, potentially resulting in loss of data integrity. AMD CPUs are a series of CPUs from AMD Inc
| VAR-202511-2355 | CVE-2025-65226 | Shenzhen Tenda Technology Co.,Ltd. of ac21 Classic buffer overflow vulnerability in firmware |
CVSS V2: 3.3 CVSS V3: 4.3 Severity: MEDIUM |
Shenzhen Tenda Technology Co.,Ltd. of ac21 Firmware has a classic buffer overflow vulnerability.Service operation interruption (DoS) It may be in a state. The Tenda AC21 is a dual-band gigabit wireless router from Tenda Technology, designed for high-speed home internet needs. It supports 802.11ac wave2 technology, with a dual-band concurrent speed of up to 2033Mbps, including 1733Mbps on the 5GHz band, meeting the demands of high-bandwidth applications such as 4K video and live streaming.
The Tenda AC21 contains a buffer overflow vulnerability. This vulnerability stems from the fact that the deviceId parameter in the /goform/saveParentControlInfo file fails to properly validate the length of input data. Attackers can exploit this vulnerability to cause a denial-of-service attack
| VAR-202511-2330 | CVE-2025-65223 | Shenzhen Tenda Technology Co.,Ltd. of ac21 Stack-based buffer overflow vulnerability in firmware |
CVSS V2: 3.3 CVSS V3: 4.3 Severity: MEDIUM |
Shenzhen Tenda Technology Co.,Ltd. of ac21 A stack-based buffer overflow vulnerability exists in the firmware.Service operation interruption (DoS) It may be in a state. The Tenda AC21 is a dual-band gigabit wireless router from Tenda Technology, designed for high-speed home internet needs. It supports 802.11ac wave2 technology, with a dual-band concurrent speed of up to 2033Mbps, including 1733Mbps on the 5GHz band, meeting the demands of high-bandwidth applications such as 4K video and live streaming. This vulnerability stems from the fact that the `urls` parameter in the `/goform/saveParentControlInfo` file fails to properly validate the length of input data. Attackers can exploit this vulnerability to cause a denial-of-service attack
| VAR-202511-2359 | CVE-2025-65222 | Shenzhen Tenda Technology Co.,Ltd. of ac21 Stack-based buffer overflow vulnerability in firmware |
CVSS V2: 3.3 CVSS V3: 4.3 Severity: MEDIUM |
Shenzhen Tenda Technology Co.,Ltd. of ac21 A stack-based buffer overflow vulnerability exists in the firmware.Service operation interruption (DoS) It may be in a state. The Tenda AC21 is a dual-band gigabit wireless router from Tenda Technology, designed for high-speed home internet needs. It supports 802.11ac wave2 technology, with a dual-band concurrent speed of up to 2033Mbps, including 1733Mbps on the 5GHz band, meeting the demands of high-bandwidth applications such as 4K video and live streaming. This vulnerability stems from the fact that the rebootTime parameter in `/goform/SetSysAutoRebbotCfg` fails to properly validate the length of the input data. Attackers can exploit this vulnerability to cause a denial-of-service attack
| VAR-202511-2366 | CVE-2025-65221 | Shenzhen Tenda Technology Co.,Ltd. of ac21 Stack-based buffer overflow vulnerability in firmware |
CVSS V2: 3.3 CVSS V3: 4.3 Severity: MEDIUM |
Tenda AC21 V16.03.08.16 is vulnerable to Buffer Overflow via the list parameter of /goform/setPptpUserList. Shenzhen Tenda Technology Co.,Ltd. of ac21 A stack-based buffer overflow vulnerability exists in the firmware.Service operation interruption (DoS) It may be in a state. The Tenda AC21 is a dual-band gigabit wireless router from Tenda Technology, designed for high-speed home internet needs. It supports 802.11ac wave2 technology, with a dual-band concurrent speed of up to 2033Mbps, including 1733Mbps on the 5GHz band, meeting the demands of high-bandwidth applications such as 4K video and live streaming. This vulnerability stems from the fact that the `list` parameter in `/goform/setPptpUserList` fails to properly validate the length of the input data. Attackers can exploit this vulnerability to cause a denial-of-service attack