VARIoT IoT vulnerabilities database
| VAR-202508-0315 | CVE-2025-8816 | Linksys of RE6250 Buffer error vulnerabilities in firmware and other products from multiple vendors |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: High |
A vulnerability was determined in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. Affected is the function setOpMode of the file /goform/setOpMode. The manipulation of the argument ethConv leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Linksys of RE6250 Firmware and other products from multiple vendors contain buffer error vulnerabilities and stack-based buffer overflow vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
| VAR-202508-1860 | No CVE | H3C BR3000W has an information disclosure vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The H3C BR3000W is a WiFi 6 dual-band Gigabit wireless router designed for home and enterprise scenarios.
The H3C BR3000W has an information leakage vulnerability that could allow an attacker to obtain sensitive information.
| VAR-202508-1861 | No CVE | Mosa Technology (Shanghai) Co., Ltd.'s ioLogik E1210-T has an unauthorized access vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The ioLogik E1210-T is an industrial Ethernet module.
The ioLogik E1210-T from Mosa Technology (Shanghai) Co., Ltd. has an unauthorized access vulnerability that could allow attackers to obtain sensitive information.
| VAR-202508-0193 | CVE-2025-8730 | Belkin F9K1009 and Belkin F9K1010 Hardcoded Credentials Vulnerability |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: High |
A vulnerability was found in Belkin F9K1009 and F9K1010 2.00.04/2.00.09 and classified as critical. Affected by this issue is some unknown functionality of the component Web Interface. The manipulation leads to hard-coded credentials. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. The Belkin F9K1009 and Belkin F9K1010 are both wireless routers manufactured by Belkin, a Canadian company.
The Belkin F9K1009 and Belkin F9K1010 have a hardcoded credential vulnerability that could allow an attacker to gain access to the devices
| VAR-202508-1500 | CVE-2024-58257 | Huawei EnzoH Operating System Command Injection Vulnerability (CNVD-2025-23594) |
CVSS V2: 4.0 CVSS V3: 5.7 Severity: MEDIUM |
EnzoH has an OS command injection vulnerability. Successful exploitation of this vulnerability may lead to arbitrary command execution. Huawei EnzoH is a wireless access device from Huawei, a Chinese company
| VAR-202508-1009 | CVE-2024-58256 | Huawei EnzoH operating system command injection vulnerability |
CVSS V2: 3.5 CVSS V3: 4.5 Severity: MEDIUM |
EnzoH has an OS command injection vulnerability. Successful exploitation of this vulnerability may lead to arbitrary command execution. Huawei EnzoH is a wireless access device from Huawei, a Chinese company
| VAR-202508-1608 | CVE-2024-58255 | Huawei EnzoH-W5611T OS Command Injection Vulnerability |
CVSS V2: 3.5 CVSS V3: 5.0 Severity: MEDIUM |
EnzoH has an OS command injection vulnerability. Successful exploitation of this vulnerability may lead to arbitrary command execution. Huawei is a leading global provider of ICT (information and communications technology) infrastructure and intelligent devices. Founded in 1987 and headquartered in Shenzhen, Guangdong Province, China, Huawei's business covers over 170 countries and regions, serving over 3 billion people worldwide. This vulnerability is caused by setting certain variables directly after getting them without validating them. Detailed vulnerability details are not available at this time
| VAR-202508-3675 | No CVE | ZTE C300 has a weak password vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
ZTE Corporation is a leading global provider of integrated communications and information technology solutions.
ZTE's C300 mobile phone has a weak password vulnerability that could allow attackers to log in to Telnet.
| VAR-202508-0152 | CVE-2025-7769 | Tigo Energy Cloud Connect Advanced Command Injection Vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: High |
Tigo Energy's CCA is vulnerable to a command injection vulnerability in the /cgi-bin/mobile_api endpoint when the DEVICE_PING command is called, allowing remote code execution due to improper handling of user input. When used with default credentials, this enables attackers to execute arbitrary commands on the device that could cause potential unauthorized access, service disruption, and data exposure. Tigo Energy Cloud Connect Advanced is a compact data logger from the US company Tigo Energy. This vulnerability could allow an attacker to execute arbitrary commands on the system
| VAR-202508-0132 | CVE-2013-10069 | D-Link Corporation of DIR-600 firmware and DIR-300 in the firmware OS Command injection vulnerability |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
The web interface of multiple D-Link routers, including DIR-600 rev B (≤2.14b01) and DIR-300 rev B (≤2.13), contains an unauthenticated OS command injection vulnerability in command.php, which improperly handles the cmd POST parameter. A remote attacker can exploit this flaw without authentication to spawn a Telnet service on a specified port, enabling persistent interactive shell access as root. D-Link Corporation of DIR-600 firmware and DIR-300 The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The D-Link DIR-600 is a wireless router from D-Link, a Chinese company. An attacker could exploit this vulnerability to cause command injection
| VAR-202508-0405 | CVE-2025-53417 | Delta Electronics DIAView Directory Traversal Remote Code Execution Vulnerability |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: Critical |
DIAView (v4.2.0 and prior) - Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Delta Electronics DIAView. Authentication is not required to exploit this vulnerability.The specific flaw exists within the web service, which listens on TCP port 80 by default. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the service account. Delta Electronics DIAView is industrial configuration software from Delta Electronics, a Chinese company. This vulnerability stems from a lack of path validity checks when processing directory requests
| VAR-202508-0105 | CVE-2025-8632 | JVCKENWOOD Corporation of DMX958XR in the firmware OS Command injection vulnerability |
CVSS V2: 7.2 CVSS V3: 6.8 Severity: MEDIUM |
Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26255. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
| VAR-202508-0123 | CVE-2025-8634 | JVCKENWOOD Corporation of DMX958XR in the firmware OS Command injection vulnerability |
CVSS V2: 7.2 CVSS V3: 6.8 Severity: MEDIUM |
Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26257. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
| VAR-202508-0149 | CVE-2025-8650 | JVCKENWOOD Corporation of DMX958XR in the firmware OS Command injection vulnerability |
CVSS V2: 7.2 CVSS V3: 6.8 Severity: MEDIUM |
Kenwood DMX958XR libSystemLib Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26306. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
| VAR-202508-0109 | CVE-2025-8656 | JVCKENWOOD Corporation of DMX958XR Vulnerabilities related to flaws in protection mechanisms in firmware |
CVSS V2: 7.2 CVSS V3: 6.8 Severity: MEDIUM |
Kenwood DMX958XR Protection Mechanism Failure Software Downgrade Vulnerability. This vulnerability allows physically present attackers to downgrade software on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the libSystemLib library. The issue results from the lack of proper validation of version information before performing an update. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-26355. JVCKENWOOD Corporation of DMX958XR The firmware contains vulnerabilities related to the failure of protection mechanisms.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
| VAR-202508-0148 | CVE-2025-8653 | JVCKENWOOD Corporation of DMX958XR Stack-based buffer overflow vulnerability in firmware |
CVSS V2: 8.3 CVSS V3: 8.8 Severity: HIGH |
Kenwood DMX958XR JKRadioService Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Kenwood DMX958XR. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the JKRadioService. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26312. JVCKENWOOD Corporation of DMX958XR A stack-based buffer overflow vulnerability exists in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
| VAR-202508-0124 | CVE-2025-8630 | JVCKENWOOD Corporation of DMX958XR in the firmware OS Command injection vulnerability |
CVSS V2: 7.2 CVSS V3: 6.8 Severity: MEDIUM |
Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26253. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
| VAR-202508-0140 | CVE-2025-8651 | JVCKENWOOD Corporation of DMX958XR in the firmware OS Command injection vulnerability |
CVSS V2: 7.2 CVSS V3: 6.8 Severity: MEDIUM |
Kenwood DMX958XR JKWifiService Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the JKWifiService. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26307. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
| VAR-202508-0188 | CVE-2025-8654 | JVCKENWOOD Corporation of DMX958XR in the firmware OS Command injection vulnerability |
CVSS V2: 8.3 CVSS V3: 8.8 Severity: HIGH |
Kenwood DMX958XR ReadMVGImage Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the ReadMVGImage function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26313. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
| VAR-202508-0104 | CVE-2025-8645 | JVCKENWOOD Corporation of DMX958XR in the firmware OS Command injection vulnerability |
CVSS V2: 7.2 CVSS V3: 6.8 Severity: MEDIUM |
Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26268. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood