VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-202512-0388 CVE-2024-53684 Socomec DIRIS Digiware M-70 Cross-Site Request Forgery Vulnerability CVSS V2: 10.0
CVSS V3: 7.5
Severity: HIGH
A cross-site request forgery (csrf) vulnerability exists in the WEBVIEW-M functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted HTTP request can lead to unauthorized access. An attacker can stage a malicious webpage to trigger this vulnerability. The Socomec DIRIS Digiware M-70 is a communication gateway device that serves as the access point for the DIRIS Digiware system, integrating 24VDC power supply and communication functions into a single unit. This vulnerability stems from the WEBVIEW-M function's inadequate verification of whether requests originate from trusted users. Detailed vulnerability information is currently unavailable
VAR-202512-0003 CVE-2024-48894 Socomec DIRIS Digiware M-70 plaintext transmission vulnerability CVSS V2: 7.8
CVSS V3: 5.9
Severity: MEDIUM
A cleartext transmission vulnerability exists in the WEBVIEW-M functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can sniff network traffic to trigger this vulnerability. The Socomec DIRIS Digiware M-70 is a communication gateway device that serves as the access point for the DIRIS Digiware system, integrating 24VDC power supply and communication functions into a single unit. Attackers could exploit this vulnerability to leak sensitive information
VAR-202512-0004 CVE-2024-48882 Socomec DIRIS Digiware M-70 Denial-of-Service Vulnerability (CNVD-2025-30457) CVSS V2: 7.8
CVSS V3: 8.6
Severity: HIGH
A denial of service vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability. The Socomec DIRIS Digiware M-70 is a communication gateway device that serves as the access point for the DIRIS Digiware system, integrating 24VDC power supply and communication functions into a single unit
VAR-202511-2406 CVE-2025-64656 Microsoft Application Gateway privilege escalation vulnerability CVSS V2: 9.7
CVSS V3: 9.4
Severity: CRITICAL
Out-of-bounds read in Application Gateway allows an unauthorized attacker to elevate privileges over a network. Microsoft Application Gateway is an application gateway developed by Microsoft Corporation
VAR-202511-2817 CVE-2025-63729 CVSS V2: -
CVSS V3: 9.0
Severity: CRITICAL
An issue was discovered in Syrotech SY-GPON-1110-WDONT SYRO_3.7L_3.1.02-240517 allowing attackers to exctract the SSL Private Key, CA Certificate, SSL Certificate, and Client Certificates in .pem format in firmware in etc folder.
VAR-202511-2413 CVE-2025-59372 ASUS Router path traversal vulnerability (CNVD-2025-29937) CVSS V2: 6.1
CVSS V3: -
Severity: Medium
A path traversal vulnerability has been identified in certain router models. A remote, authenticated attacker could exploit this vulnerability to write files outside the intended directory, potentially affecting device integrity. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. ASUS Router is a router product and accompanying management application launched by ASUS, primarily used for wireless connectivity and management in home and enterprise networks
VAR-202511-2374 CVE-2025-59371 ASUS Router authentication bypass vulnerability CVSS V2: 8.3
CVSS V3: -
Severity: High
An authentication bypass vulnerability has been identified in the IFTTT integration feature. A remote, authenticated attacker could leverage this vulnerability to potentially gain unauthorized access to the device. This vulnerability does not affect Wi-Fi 7 series models. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. ASUS Router is a router product and accompanying management application launched by ASUS, primarily used for wireless connectivity and management in home and enterprise networks
VAR-202511-2421 CVE-2025-59370 ASUS Router command injection vulnerability CVSS V2: 8.3
CVSS V3: -
Severity: High
A command injection vulnerability has been identified in bwdpi. A remote, authenticated attacker could leverage this vulnerability to potentially execute arbitrary commands, leading to the device executing unintended instructions. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. ASUS Router is a router product and accompanying management application launched by ASUS, primarily used for wireless connectivity and management in home and enterprise networks
VAR-202511-2401 CVE-2025-59369 ASUS Router SQL Injection Vulnerability CVSS V2: 6.1
CVSS V3: -
Severity: Medium
A SQL injection vulnerability has been identified in bwdpi. A remote, authenticated attacker could leverage this vulnerability to potentially execute arbitrary SQL queries, leading to unauthorized data access. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. ASUS Router is a router product and accompanying management application launched by ASUS, primarily used for wireless connectivity and management of home and enterprise networks. This vulnerability stems from the application's lack of validation for externally input SQL statements
VAR-202511-2372 CVE-2025-59368 ASUS Router Integer Underflow Vulnerability CVSS V2: 6.8
CVSS V3: -
Severity: Medium
An integer underflow vulnerability has been identified in Aicloud. An authenticated attacker may trigger this vulnerability by sending a crafted request, potentially impacting the availability of the device. Refer to the ' Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. ASUS Router is a router product and accompanying management application launched by ASUS, primarily used for wireless connectivity and management in home and enterprise networks. ASUS Router contains an integer underflow vulnerability, which attackers could exploit to compromise device availability
VAR-202511-2428 CVE-2025-59366 ASUS Router authentication bypass vulnerability (CNVD-2025-29936) CVSS V2: 10.0
CVSS V3: -
Severity: Critical
An authentication-bypass vulnerability exists in AiCloud. This vulnerability can be triggered by an unintended side effect of the Samba functionality, potentially leading to allow execution of specific functions without proper authorization. Refer to the Security Update for ASUS Router Firmware section on the ASUS Security Advisory for more information. ASUS Router is a router product and accompanying management application launched by ASUS, primarily used for wireless connectivity and management in home and enterprise networks. Attackers could exploit this vulnerability to enable unauthorized function execution
VAR-202511-2446 CVE-2025-59365 ASUS Router stack buffer overflow vulnerability CVSS V2: 6.1
CVSS V3: -
Severity: Medium
A stack buffer overflow vulnerability has been identified in certain router models. An authenticated attacker may trigger this vulnerability by sending a crafted request, potentially impacting the availability of the device. Refer to the ' Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. ASUS Router is a router product and accompanying management application launched by ASUS, primarily used for wireless connectivity and management in home and enterprise networks. This vulnerability stems from a boundary error in the application when processing untrusted input
VAR-202511-2373 CVE-2025-12003 ASUS Router path traversal vulnerability CVSS V2: 7.8
CVSS V3: -
Severity: High
A path traversal vulnerability has been identified in WebDAV, which may allow unauthenticated remote attackers to impact the integrity of the device. Refer to the ' Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. ASUS Router is a router product and accompanying management application launched by ASUS, primarily used for wireless connectivity and management in home and enterprise networks
VAR-202511-2274 CVE-2025-13562 D-Link Corporation  of  DIR-852  Injection Vulnerability in Firmware CVSS V2: 7.5
CVSS V3: 7.3
Severity: Medium
A vulnerability was identified in D-Link DIR-852 1.00. This issue affects some unknown processing of the file /gena.cgi. Such manipulation of the argument service leads to command injection. The attack can be executed remotely. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer. (DoS) It may be in a state
VAR-202511-2375 CVE-2025-62626 AMD CPU entropy handling vulnerability CVSS V2: 6.2
CVSS V3: -
Severity: High
Improper handling of insufficient entropy in the AMD CPUs could allow a local attacker to influence the values returned by the RDSEED instruction, potentially resulting in the consumption of insufficiently random values. AMD CPUs are a series of CPUs manufactured by AMD. AMD CPUs have a vulnerability due to improper entropy handling; detailed vulnerability information is not currently available
VAR-202511-2429 CVE-2025-29934 AMD CPUs have an unknown vulnerability. CVSS V2: 3.7
CVSS V3: 5.3
Severity: MEDIUM
A bug within some AMD CPUs could allow a local admin-privileged attacker to run a SEV-SNP guest using stale TLB entries, potentially resulting in loss of data integrity. AMD CPUs are a series of CPUs from AMD Inc
VAR-202511-2355 CVE-2025-65226 Shenzhen Tenda Technology Co.,Ltd.  of  ac21  Classic buffer overflow vulnerability in firmware CVSS V2: 3.3
CVSS V3: 4.3
Severity: MEDIUM
Shenzhen Tenda Technology Co.,Ltd. of ac21 Firmware has a classic buffer overflow vulnerability.Service operation interruption (DoS) It may be in a state. The Tenda AC21 is a dual-band gigabit wireless router from Tenda Technology, designed for high-speed home internet needs. It supports 802.11ac wave2 technology, with a dual-band concurrent speed of up to 2033Mbps, including 1733Mbps on the 5GHz band, meeting the demands of high-bandwidth applications such as 4K video and live streaming. The Tenda AC21 contains a buffer overflow vulnerability. This vulnerability stems from the fact that the deviceId parameter in the /goform/saveParentControlInfo file fails to properly validate the length of input data. Attackers can exploit this vulnerability to cause a denial-of-service attack
VAR-202511-2330 CVE-2025-65223 Shenzhen Tenda Technology Co.,Ltd.  of  ac21  Stack-based buffer overflow vulnerability in firmware CVSS V2: 3.3
CVSS V3: 4.3
Severity: MEDIUM
Shenzhen Tenda Technology Co.,Ltd. of ac21 A stack-based buffer overflow vulnerability exists in the firmware.Service operation interruption (DoS) It may be in a state. The Tenda AC21 is a dual-band gigabit wireless router from Tenda Technology, designed for high-speed home internet needs. It supports 802.11ac wave2 technology, with a dual-band concurrent speed of up to 2033Mbps, including 1733Mbps on the 5GHz band, meeting the demands of high-bandwidth applications such as 4K video and live streaming. This vulnerability stems from the fact that the `urls` parameter in the `/goform/saveParentControlInfo` file fails to properly validate the length of input data. Attackers can exploit this vulnerability to cause a denial-of-service attack
VAR-202511-2359 CVE-2025-65222 Shenzhen Tenda Technology Co.,Ltd.  of  ac21  Stack-based buffer overflow vulnerability in firmware CVSS V2: 3.3
CVSS V3: 4.3
Severity: MEDIUM
Shenzhen Tenda Technology Co.,Ltd. of ac21 A stack-based buffer overflow vulnerability exists in the firmware.Service operation interruption (DoS) It may be in a state. The Tenda AC21 is a dual-band gigabit wireless router from Tenda Technology, designed for high-speed home internet needs. It supports 802.11ac wave2 technology, with a dual-band concurrent speed of up to 2033Mbps, including 1733Mbps on the 5GHz band, meeting the demands of high-bandwidth applications such as 4K video and live streaming. This vulnerability stems from the fact that the rebootTime parameter in `/goform/SetSysAutoRebbotCfg` fails to properly validate the length of the input data. Attackers can exploit this vulnerability to cause a denial-of-service attack
VAR-202511-2366 CVE-2025-65221 Shenzhen Tenda Technology Co.,Ltd.  of  ac21  Stack-based buffer overflow vulnerability in firmware CVSS V2: 3.3
CVSS V3: 4.3
Severity: MEDIUM
Tenda AC21 V16.03.08.16 is vulnerable to Buffer Overflow via the list parameter of /goform/setPptpUserList. Shenzhen Tenda Technology Co.,Ltd. of ac21 A stack-based buffer overflow vulnerability exists in the firmware.Service operation interruption (DoS) It may be in a state. The Tenda AC21 is a dual-band gigabit wireless router from Tenda Technology, designed for high-speed home internet needs. It supports 802.11ac wave2 technology, with a dual-band concurrent speed of up to 2033Mbps, including 1733Mbps on the 5GHz band, meeting the demands of high-bandwidth applications such as 4K video and live streaming. This vulnerability stems from the fact that the `list` parameter in `/goform/setPptpUserList` fails to properly validate the length of the input data. Attackers can exploit this vulnerability to cause a denial-of-service attack