Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
30 vulnerabilities by circutor
CVE-2025-64389 (GCVE-0-2025-64389)
Vulnerability from nvd – Published: 2025-10-31 14:19 – Updated: 2025-11-03 19:11- CWE-319 - Cleartext Transmission of Sensitive Information
| URL | Tags |
|---|---|
| https://cds.thalesgroup.com/es/s21sec | |
| https://circutor.com/productos/iot-industrial-y-a… | product |
| https://www.hackrtu.com/blog/cg-0day-en-003/ | technical-description |
| Vendor | Product | Version | |
|---|---|---|---|
| Circutor | TCPRS1plus |
Affected:
1.0.14
(Firmware)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64389",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-03T19:11:35.879313Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T19:11:41.770Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "TCPRS1plus",
"vendor": "Circutor",
"versions": [
{
"status": "affected",
"version": "1.0.14",
"versionType": "Firmware"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:circutor:tcprs1plus:1.0.14:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "V\u00edctor Bello Cuevas"
},
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha Men\u00e9ndez"
},
{
"lang": "en",
"type": "coordinator",
"value": "Iv\u00e1n Alonso \u00c1lvarez"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The web server of the device performs exchanges of sensitive information in clear text through an insecure protocol."
}
],
"value": "The web server of the device performs exchanges of sensitive information in clear text through an insecure protocol."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:L/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T15:45:50.652Z",
"orgId": "50b5080a-775f-442e-83b5-926b5ca517b6",
"shortName": "S21sec"
},
"references": [
{
"url": "https://cds.thalesgroup.com/es/s21sec"
},
{
"tags": [
"product"
],
"url": "https://circutor.com/productos/iot-industrial-y-automatizacion/conversores-y-pasarelas/product/D80010./"
},
{
"tags": [
"technical-description"
],
"url": "https://www.hackrtu.com/blog/cg-0day-en-003/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The new version of the device will use the HTTPS protocol.\n\n\u003cbr\u003e"
}
],
"value": "The new version of the device will use the HTTPS protocol."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "EXCHANGE OF SENSITIVE INFORMATION IN CLEAR TEXT",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "50b5080a-775f-442e-83b5-926b5ca517b6",
"assignerShortName": "S21sec",
"cveId": "CVE-2025-64389",
"datePublished": "2025-10-31T14:19:48.833Z",
"dateReserved": "2025-10-31T13:13:35.299Z",
"dateUpdated": "2025-11-03T19:11:41.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64388 (GCVE-0-2025-64388)
Vulnerability from nvd – Published: 2025-10-31 14:17 – Updated: 2025-11-03 15:47- CWE-400 - Uncontrolled Resource Consumption
| URL | Tags |
|---|---|
| https://cds.thalesgroup.com/es/s21sec | |
| https://circutor.com/productos/iot-industrial-y-a… | product |
| https://www.hackrtu.com/blog/cg-0day-en-003/ | technical-description |
| Vendor | Product | Version | |
|---|---|---|---|
| Circutor | TCPRS1plus |
Affected:
1.0.14
(Firmware)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64388",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-31T14:41:48.866891Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T14:42:03.941Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "TCPRS1plus",
"vendor": "Circutor",
"versions": [
{
"status": "affected",
"version": "1.0.14",
"versionType": "Firmware"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:circutor:tcprs1plus:1.0.14:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "V\u00edctor Bello Cuevas"
},
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha Men\u00e9ndez"
},
{
"lang": "en",
"type": "coordinator",
"value": "Iv\u00e1n Alonso \u00c1lvarez"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Denial of service of the web server through specific requests to this protocol"
}
],
"value": "Denial of service of the web server through specific requests to this protocol"
}
],
"impacts": [
{
"capecId": "CAPEC-469",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-469 HTTP DoS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T15:47:20.502Z",
"orgId": "50b5080a-775f-442e-83b5-926b5ca517b6",
"shortName": "S21sec"
},
"references": [
{
"url": "https://cds.thalesgroup.com/es/s21sec"
},
{
"tags": [
"product"
],
"url": "https://circutor.com/productos/iot-industrial-y-automatizacion/conversores-y-pasarelas/product/D80010./"
},
{
"tags": [
"technical-description"
],
"url": "https://www.hackrtu.com/blog/cg-0day-en-003/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The new version of the device will use the HTTPS protocol.\u0026nbsp;It is also recommended to deploy it behind a firewall that allows you to prevent this attack.\u003cbr\u003e"
}
],
"value": "The new version of the device will use the HTTPS protocol.\u00a0It is also recommended to deploy it behind a firewall that allows you to prevent this attack."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Denial of service through specific packets",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "50b5080a-775f-442e-83b5-926b5ca517b6",
"assignerShortName": "S21sec",
"cveId": "CVE-2025-64388",
"datePublished": "2025-10-31T14:17:00.827Z",
"dateReserved": "2025-10-31T13:13:35.299Z",
"dateUpdated": "2025-11-03T15:47:20.502Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64387 (GCVE-0-2025-64387)
Vulnerability from nvd – Published: 2025-10-31 14:12 – Updated: 2025-11-03 15:48- CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
| URL | Tags |
|---|---|
| https://circutor.com/productos/iot-industrial-y-a… | product |
| https://cds.thalesgroup.com/es/s21sec | |
| https://www.hackrtu.com/blog/cg-0day-en-003/ | technical-description |
| Vendor | Product | Version | |
|---|---|---|---|
| Circutor | TCPRS1plus |
Affected:
1.0.14
(Firmware)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64387",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-31T14:38:04.393974Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T14:39:38.610Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "TCPRS1plus",
"vendor": "Circutor",
"versions": [
{
"status": "affected",
"version": "1.0.14",
"versionType": "Firmware"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:circutor:tcprs1plus:1.0.14:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "V\u00edctor Bello Cuevas"
},
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha Men\u00e9ndez"
},
{
"lang": "en",
"type": "coordinator",
"value": "Iv\u00e1n Alonso \u00c1lvarez"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The web application is vulnerable to a so-called \u2018clickjacking\u2019 attack. In this type of attack, the vulnerable page is inserted into a page controlled by the attacker in order to deceive the victim. This deception can range from making the victim click on a button to making them enter their login credentials in a form that, a priori, appears legitimate."
}
],
"value": "The web application is vulnerable to a so-called \u2018clickjacking\u2019 attack. In this type of attack, the vulnerable page is inserted into a page controlled by the attacker in order to deceive the victim. This deception can range from making the victim click on a button to making them enter their login credentials in a form that, a priori, appears legitimate."
}
],
"impacts": [
{
"capecId": "CAPEC-103",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-103 Clickjacking"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1021",
"description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T15:48:02.400Z",
"orgId": "50b5080a-775f-442e-83b5-926b5ca517b6",
"shortName": "S21sec"
},
"references": [
{
"tags": [
"product"
],
"url": "https://circutor.com/productos/iot-industrial-y-automatizacion/conversores-y-pasarelas/product/D80010./"
},
{
"url": "https://cds.thalesgroup.com/es/s21sec"
},
{
"tags": [
"technical-description"
],
"url": "https://www.hackrtu.com/blog/cg-0day-en-003/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The new version of the device will use the HTTPS protocol.\u003cbr\u003e"
}
],
"value": "The new version of the device will use the HTTPS protocol."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CLICKJACKING",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "50b5080a-775f-442e-83b5-926b5ca517b6",
"assignerShortName": "S21sec",
"cveId": "CVE-2025-64387",
"datePublished": "2025-10-31T14:12:55.199Z",
"dateReserved": "2025-10-31T13:13:35.299Z",
"dateUpdated": "2025-11-03T15:48:02.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64385 (GCVE-0-2025-64385)
Vulnerability from nvd – Published: 2025-10-31 14:23 – Updated: 2025-11-03 19:06- CWE-20 - Improper Input Validation
| URL | Tags |
|---|---|
| https://cds.thalesgroup.com/es/s21sec | |
| https://circutor.com/productos/iot-industrial-y-a… | product |
| https://www.hackrtu.com/blog/cg-0day-en-003/ | technical-description |
| Vendor | Product | Version | |
|---|---|---|---|
| Circutor | TCPRS1plus |
Affected:
1.0.14
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64385",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-03T19:06:09.900343Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T19:06:16.313Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "TCPRS1plus",
"vendor": "Circutor",
"versions": [
{
"status": "affected",
"version": "1.0.14"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:circutor:tcprs1plus:1.0.14:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "V\u00edctor Bello Cuevas"
},
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha Men\u00e9ndez"
},
{
"lang": "en",
"type": "coordinator",
"value": "Iv\u00e1n Alonso \u00c1lvarez"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The equipment initially can be configured using the manufacturer\u0027s application, by Wi-Fi, by the web server or with the manufacturer\u2019s software.\u003cbr\u003eUsing the manufacturer\u0027s software, the device can be configured via UDP. Analyzing this communication, it has been observed that any aspect of the initial configuration can be changed by means of the device\u0027s MAC without the need for authentication."
}
],
"value": "The equipment initially can be configured using the manufacturer\u0027s application, by Wi-Fi, by the web server or with the manufacturer\u2019s software.\nUsing the manufacturer\u0027s software, the device can be configured via UDP. Analyzing this communication, it has been observed that any aspect of the initial configuration can be changed by means of the device\u0027s MAC without the need for authentication."
}
],
"impacts": [
{
"capecId": "CAPEC-10",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-10 Buffer Overflow via Environment Variables"
}
]
},
{
"capecId": "CAPEC-101",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-101 Server Side Include (SSI) Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T15:46:13.848Z",
"orgId": "50b5080a-775f-442e-83b5-926b5ca517b6",
"shortName": "S21sec"
},
"references": [
{
"url": "https://cds.thalesgroup.com/es/s21sec"
},
{
"tags": [
"product"
],
"url": "https://circutor.com/productos/iot-industrial-y-automatizacion/conversores-y-pasarelas/product/D80010./"
},
{
"tags": [
"technical-description"
],
"url": "https://www.hackrtu.com/blog/cg-0day-en-003/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This service has been removed in the new version.\u003cbr\u003e"
}
],
"value": "This service has been removed in the new version."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "INCORRECT SECURITY VALIDATION IN SENDING UDP FRAMES",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "50b5080a-775f-442e-83b5-926b5ca517b6",
"assignerShortName": "S21sec",
"cveId": "CVE-2025-64385",
"datePublished": "2025-10-31T14:23:06.442Z",
"dateReserved": "2025-10-31T13:13:35.298Z",
"dateUpdated": "2025-11-03T19:06:16.313Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64386 (GCVE-0-2025-64386)
Vulnerability from nvd – Published: 2025-10-31 13:42 – Updated: 2025-11-03 15:51- CWE-613 - Insufficient Session Expiration
| URL | Tags |
|---|---|
| https://circutor.com/productos/iot-industrial-y-a… | product |
| https://www.hackrtu.com/blog/cg-0day-en-003/ | technical-description |
| https://cds.thalesgroup.com/es/s21sec-about |
| Vendor | Product | Version | |
|---|---|---|---|
| Circutor | TCPRS1plus |
Affected:
1.0.14
(Firmware)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64386",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-03T14:22:45.570351Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T14:22:50.552Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "TCPRS1plus",
"vendor": "Circutor",
"versions": [
{
"status": "affected",
"version": "1.0.14",
"versionType": "Firmware"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:circutor:tcprs1plus:1.0.14:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "V\u00edctor Bello Cuevas"
},
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha Men\u00e9ndez"
},
{
"lang": "en",
"type": "coordinator",
"value": "Iv\u00e1n Alonso \u00c1lvarez"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u0026nbsp;The\nequipment grants a JWT token for each connection in the timeline, but during an\nactive valid session, a hijacking of the token can be done. This will allow an\nattacker with the token modify parameters of security, access or even steal the\nsession without\nthe legitimate and active session detecting it. The web server allows the\nattacker to reuse an old session JWT token while the legitimate session is\nactive."
}
],
"value": "The\nequipment grants a JWT token for each connection in the timeline, but during an\nactive valid session, a hijacking of the token can be done. This will allow an\nattacker with the token modify parameters of security, access or even steal the\nsession without\nthe legitimate and active session detecting it. The web server allows the\nattacker to reuse an old session JWT token while the legitimate session is\nactive."
}
],
"impacts": [
{
"capecId": "CAPEC-593",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-593 Session Hijacking"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T15:51:03.421Z",
"orgId": "50b5080a-775f-442e-83b5-926b5ca517b6",
"shortName": "S21sec"
},
"references": [
{
"tags": [
"product"
],
"url": "https://circutor.com/productos/iot-industrial-y-automatizacion/conversores-y-pasarelas/product/D80010./"
},
{
"tags": [
"technical-description"
],
"url": "https://www.hackrtu.com/blog/cg-0day-en-003/"
},
{
"url": "https://cds.thalesgroup.com/es/s21sec-about"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HIJACKING OF THE TOKEN AND GAINING ACCESS",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "50b5080a-775f-442e-83b5-926b5ca517b6",
"assignerShortName": "S21sec",
"cveId": "CVE-2025-64386",
"datePublished": "2025-10-31T13:42:32.743Z",
"dateReserved": "2025-10-31T13:13:35.299Z",
"dateUpdated": "2025-11-03T15:51:03.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-8891 (GCVE-0-2024-8891)
Vulnerability from nvd – Published: 2024-09-18 13:10 – Updated: 2024-09-18 15:28- CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
| Vendor | Product | Version | |
|---|---|---|---|
| CIRCUTOR | CIRCUTOR Q-SMT |
Affected:
1.0.4
(firmware)
|
|
| circutor | circutor_q_smt |
Affected:
1.0.4
cpe:2.3:a:circutor:circutor_q_smt:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:circutor:circutor_q_smt:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "circutor_q_smt",
"vendor": "circutor",
"versions": [
{
"status": "affected",
"version": "1.0.4"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8891",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T15:27:44.779995Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T15:28:30.964Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIRCUTOR Q-SMT",
"vendor": "CIRCUTOR",
"versions": [
{
"status": "affected",
"version": "1.0.4",
"versionType": "firmware"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha"
},
{
"lang": "en",
"type": "finder",
"value": "Gabriel V\u00eda Echezarreta"
}
],
"datePublic": "2024-09-16T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An attacker with no knowledge of the current users in the web application, could build a dictionary of potential users and check the server responses as it indicates whether or not the user is present in CIRCUTOR Q-SMT in its firmware version 1.0.4."
}
],
"value": "An attacker with no knowledge of the current users in the web application, could build a dictionary of potential users and check the server responses as it indicates whether or not the user is present in CIRCUTOR Q-SMT in its firmware version 1.0.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-359",
"description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T13:10:01.274Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CIRCUTOR Q-SMT, in its firmware version 1.0.5, effectively solved the potential threat. CIRCUTOR made the new version available to its customers privately and strongly recommends them to keep their equipment updated."
}
],
"value": "CIRCUTOR Q-SMT, in its firmware version 1.0.5, effectively solved the potential threat. CIRCUTOR made the new version available to its customers privately and strongly recommends them to keep their equipment updated."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Exposure of Private Personal Information to an Unauthorized Actor vulnerability on CIRCUTOR Q-SMT",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-8891",
"datePublished": "2024-09-18T13:10:01.274Z",
"dateReserved": "2024-09-16T10:20:32.471Z",
"dateUpdated": "2024-09-18T15:28:30.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8892 (GCVE-0-2024-8892)
Vulnerability from nvd – Published: 2024-09-18 12:54 – Updated: 2024-09-18 14:42- CWE-400 - Uncontrolled Resource Consumption
| Vendor | Product | Version | |
|---|---|---|---|
| CIRCUTOR | CIRCUTOR TCP2RS+ |
Affected:
1.3b
(firmware)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8892",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T14:42:36.722963Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T14:42:50.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIRCUTOR TCP2RS+",
"vendor": "CIRCUTOR",
"versions": [
{
"status": "affected",
"version": "1.3b",
"versionType": "firmware"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha"
},
{
"lang": "en",
"type": "finder",
"value": "Javier Fernandez Ber\u00e9"
},
{
"lang": "en",
"type": "finder",
"value": "V\u00edctor Bello Cuevas"
}
],
"datePublic": "2024-09-16T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability in CIRCUTOR TCP2RS+ firmware version 1.3b, which could allow an attacker to modify any configuration value, even if the device has the user/password authentication option enabled, without authentication by sending packets through the UDP protocol and port 2000, deconfiguring the device and thus disabling its use. This equipment is at the end of its useful life cycle."
}
],
"value": "Vulnerability in CIRCUTOR TCP2RS+ firmware version 1.3b, which could allow an attacker to modify any configuration value, even if the device has the user/password authentication option enabled, without authentication by sending packets through the UDP protocol and port 2000, deconfiguring the device and thus disabling its use. This equipment is at the end of its useful life cycle."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T12:54:04.077Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CIRCUTOR TCP2RS+ device firmware version 1.3.b (2017), presents 2 security vulnerabilities exploitable mainly in public communication networks, especially in networks not adequately protected. CIRCUTOR strongly recommends replacing the TCP2RS+ device with the current Line-TCPRS1, both in private and public network environments."
}
],
"value": "CIRCUTOR TCP2RS+ device firmware version 1.3.b (2017), presents 2 security vulnerabilities exploitable mainly in public communication networks, especially in networks not adequately protected. CIRCUTOR strongly recommends replacing the TCP2RS+ device with the current Line-TCPRS1, both in private and public network environments."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Uncontrolled Resource Consumption vulnerability on CIRCUTOR TCP2RS+",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-8892",
"datePublished": "2024-09-18T12:54:04.077Z",
"dateReserved": "2024-09-16T10:20:33.376Z",
"dateUpdated": "2024-09-18T14:42:50.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8890 (GCVE-0-2024-8890)
Vulnerability from nvd – Published: 2024-09-18 13:03 – Updated: 2024-09-18 14:36- CWE-201 - Insertion of Sensitive Information Into Sent Data
| Vendor | Product | Version | |
|---|---|---|---|
| CIRCUTOR | CIRCUTOR Q-SMT |
Affected:
1.0.4
(firmware)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8890",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T14:36:13.020662Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T14:36:22.074Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIRCUTOR Q-SMT",
"vendor": "CIRCUTOR",
"versions": [
{
"status": "affected",
"version": "1.0.4",
"versionType": "firmware"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha"
},
{
"lang": "en",
"type": "finder",
"value": "Gabriel V\u00eda Echezarreta"
}
],
"datePublic": "2024-09-16T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An attacker with access to the network where the CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could obtain legitimate credentials or steal sessions due to the fact that the device only implements the HTTP protocol. This fact prevents a secure communication channel from being established."
}
],
"value": "An attacker with access to the network where the CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could obtain legitimate credentials or steal sessions due to the fact that the device only implements the HTTP protocol. This fact prevents a secure communication channel from being established."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T13:04:13.468Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CIRCUTOR Q-SMT, in its firmware version 1.0.5, effectively solved the potential threat. CIRCUTOR made the new version available to its customers privately and strongly recommends them to keep their equipment updated."
}
],
"value": "CIRCUTOR Q-SMT, in its firmware version 1.0.5, effectively solved the potential threat. CIRCUTOR made the new version available to its customers privately and strongly recommends them to keep their equipment updated."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insertion of Sensitive Information Into Sent Data vulnerability on CIRCUTOR Q-SMT",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-8890",
"datePublished": "2024-09-18T13:03:31.453Z",
"dateReserved": "2024-09-16T10:20:31.758Z",
"dateUpdated": "2024-09-18T14:36:22.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8889 (GCVE-0-2024-8889)
Vulnerability from nvd – Published: 2024-09-18 12:00 – Updated: 2024-09-18 13:09- CWE-20 - Improper Input Validation
| Vendor | Product | Version | |
|---|---|---|---|
| CIRCUTOR | CIRCUTOR TCP2RS+ |
Affected:
1.3b
(firmware)
|
|
| circutor | circutor_tcp2rs_plus |
Affected:
1.3b
cpe:2.3:a:circutor:circutor_tcp2rs_plus:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:circutor:circutor_tcp2rs_plus:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "circutor_tcp2rs_plus",
"vendor": "circutor",
"versions": [
{
"status": "affected",
"version": "1.3b"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8889",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T13:02:10.649196Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T13:09:03.920Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIRCUTOR TCP2RS+",
"vendor": "CIRCUTOR",
"versions": [
{
"status": "affected",
"version": "1.3b",
"versionType": "firmware"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha"
},
{
"lang": "en",
"type": "finder",
"value": "Javier Fernandez Ber\u00e9"
},
{
"lang": "en",
"type": "finder",
"value": "V\u00edctor Bello Cuevas"
}
],
"datePublic": "2024-09-16T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability in CIRCUTOR TCP2RS+ firmware version 1.3b, which could allow an attacker to modify any configuration value, even if the device has the user/password authentication option enabled, without authentication by sending packets through the UDP protocol and port 2000, deconfiguring the device and thus disabling its use. This equipment is at the end of its useful life cycle."
}
],
"value": "Vulnerability in CIRCUTOR TCP2RS+ firmware version 1.3b, which could allow an attacker to modify any configuration value, even if the device has the user/password authentication option enabled, without authentication by sending packets through the UDP protocol and port 2000, deconfiguring the device and thus disabling its use. This equipment is at the end of its useful life cycle."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T12:00:11.071Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CIRCUTOR TCP2RS+ device firmware version 1.3.b (2017), presents 2 security vulnerabilities exploitable mainly in public communication networks, especially in networks not adequately protected. CIRCUTOR strongly recommends replacing the TCP2RS+ device with the current Line-TCPRS1, both in private and public network environments."
}
],
"value": "CIRCUTOR TCP2RS+ device firmware version 1.3.b (2017), presents 2 security vulnerabilities exploitable mainly in public communication networks, especially in networks not adequately protected. CIRCUTOR strongly recommends replacing the TCP2RS+ device with the current Line-TCPRS1, both in private and public network environments."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Input Validation vulnerability on CIRCUTOR TCP2RS+",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-8889",
"datePublished": "2024-09-18T12:00:11.071Z",
"dateReserved": "2024-09-16T10:20:30.893Z",
"dateUpdated": "2024-09-18T13:09:03.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8888 (GCVE-0-2024-8888)
Vulnerability from nvd – Published: 2024-09-18 11:54 – Updated: 2024-09-18 13:14- CWE-613 - Insufficient Session Expiration
| Vendor | Product | Version | |
|---|---|---|---|
| CIRCUTOR | CIRCUTOR Q-SMT |
Affected:
1.0.4
(firmware)
|
|
| circutor | circutor_q_smt |
Affected:
10.4
cpe:2.3:a:circutor:circutor_q_smt:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:circutor:circutor_q_smt:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "circutor_q_smt",
"vendor": "circutor",
"versions": [
{
"status": "affected",
"version": "10.4"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8888",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T13:10:09.717495Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T13:14:00.252Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIRCUTOR Q-SMT",
"vendor": "CIRCUTOR",
"versions": [
{
"status": "affected",
"version": "1.0.4",
"versionType": "firmware"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha"
},
{
"lang": "en",
"type": "finder",
"value": "Gabriel V\u00eda Echezarreta"
}
],
"datePublic": "2024-09-16T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token theft can originate from different methods such as network captures, locally stored web information, etc."
}
],
"value": "An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token theft can originate from different methods such as network captures, locally stored web information, etc."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T11:54:47.337Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CIRCUTOR Q-SMT, in its firmware version 1.0.5, effectively solved the potential threat. CIRCUTOR made the new version available to its customers privately and strongly recommends them to keep their equipment updated."
}
],
"value": "CIRCUTOR Q-SMT, in its firmware version 1.0.5, effectively solved the potential threat. CIRCUTOR made the new version available to its customers privately and strongly recommends them to keep their equipment updated."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insufficient Session Expiration vulnerability on CIRCUTOR Q-SMT",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-8888",
"datePublished": "2024-09-18T11:54:47.337Z",
"dateReserved": "2024-09-16T10:20:29.982Z",
"dateUpdated": "2024-09-18T13:14:00.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8887 (GCVE-0-2024-8887)
Vulnerability from nvd – Published: 2024-09-18 11:05 – Updated: 2024-09-18 13:26- CWE-1284 - Improper Validation of Specified Quantity in Input
| Vendor | Product | Version | |
|---|---|---|---|
| CIRCUTOR | CIRCUTOR Q-SMT |
Affected:
1.0.4
(firmware)
|
|
| circutor | circutor_q_smt |
Affected:
1.0.4
cpe:2.3:a:circutor:circutor_q_smt:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:circutor:circutor_q_smt:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "circutor_q_smt",
"vendor": "circutor",
"versions": [
{
"status": "affected",
"version": "1.0.4"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8887",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T13:24:41.180459Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T13:26:55.753Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIRCUTOR Q-SMT",
"vendor": "CIRCUTOR",
"versions": [
{
"status": "affected",
"version": "1.0.4",
"versionType": "firmware"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha"
},
{
"lang": "en",
"type": "finder",
"value": "Gabriel V\u00eda Echezarreta"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CIRCUTOR Q-SMT in its firmware version 1.0.4, could be affected by a denial of service (DoS) attack if an attacker with access to the web service bypasses the authentication mechanisms on the login page, allowing the attacker to use all the functionalities implemented at web level that allow interacting with the device."
}
],
"value": "CIRCUTOR Q-SMT in its firmware version 1.0.4, could be affected by a denial of service (DoS) attack if an attacker with access to the web service bypasses the authentication mechanisms on the login page, allowing the attacker to use all the functionalities implemented at web level that allow interacting with the device."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1284",
"description": "CWE-1284 Improper Validation of Specified Quantity in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T11:05:31.015Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CIRCUTOR Q-SMT, in its firmware version 1.0.5, effectively solved the potential threat. CIRCUTOR made the new version available to its customers privately and strongly recommends them to keep their equipment updated."
}
],
"value": "CIRCUTOR Q-SMT, in its firmware version 1.0.5, effectively solved the potential threat. CIRCUTOR made the new version available to its customers privately and strongly recommends them to keep their equipment updated."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Authentication bypass vulnerability on CIRCUTOR Q-SMT",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-8887",
"datePublished": "2024-09-18T11:05:31.015Z",
"dateReserved": "2024-09-16T10:20:28.952Z",
"dateUpdated": "2024-09-18T13:26:55.753Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1669 (GCVE-0-2022-1669)
Vulnerability from nvd – Published: 2022-05-24 17:38 – Updated: 2025-04-16 16:18- CWE-121 - Stack-based Buffer Overflow
| URL | Tags |
|---|---|
| https://www.cisa.gov/uscert/ics/advisories/icsa-2… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| CIRCUTOR | COMPACT DC-S BASIC |
Affected:
CIR_CDC_v1.2.17
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:03.719Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-137-01"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-1669",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T15:51:49.403979Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T16:18:54.034Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "COMPACT DC-S BASIC",
"vendor": "CIRCUTOR",
"versions": [
{
"status": "affected",
"version": "CIR_CDC_v1.2.17"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Angel Garcia Moreno reported this vulnerability to CISA."
}
],
"datePublic": "2022-05-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A buffer overflow vulnerability has been detected in the firewall function of the device management web portal. The device runs a CGI binary (index.cgi) to offer a management web application. Once authenticated with valid credentials in this web portal, a potential attacker could submit any \"Address\" value and it would be copied to a second variable with a \"strcpy\" vulnerable function without checking its length. Because of this, it is possible to send a long address value to overflow the process stack, controlling the function return address."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-24T17:38:36.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-137-01"
}
],
"source": {
"advisory": "ICSA-22-137-01",
"discovery": "EXTERNAL"
},
"title": "Circutor COMPACT DC-S BASIC",
"workarounds": [
{
"lang": "en",
"value": "Circutor has not responded to requests to work with CISA to mitigate this vulnerability. Users of these affected products are invited to contact Circutor customer support for additional information."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2022-05-17T18:31:00.000Z",
"ID": "CVE-2022-1669",
"STATE": "PUBLIC",
"TITLE": "Circutor COMPACT DC-S BASIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "COMPACT DC-S BASIC",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "CIR_CDC_v1.2.17",
"version_value": "CIR_CDC_v1.2.17"
}
]
}
}
]
},
"vendor_name": "CIRCUTOR"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Angel Garcia Moreno reported this vulnerability to CISA."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A buffer overflow vulnerability has been detected in the firewall function of the device management web portal. The device runs a CGI binary (index.cgi) to offer a management web application. Once authenticated with valid credentials in this web portal, a potential attacker could submit any \"Address\" value and it would be copied to a second variable with a \"strcpy\" vulnerable function without checking its length. Because of this, it is possible to send a long address value to overflow the process stack, controlling the function return address."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-121 Stack-based Buffer Overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-137-01",
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-137-01"
}
]
},
"source": {
"advisory": "ICSA-22-137-01",
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Circutor has not responded to requests to work with CISA to mitigate this vulnerability. Users of these affected products are invited to contact Circutor customer support for additional information."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2022-1669",
"datePublished": "2022-05-24T17:38:36.592Z",
"dateReserved": "2022-05-10T00:00:00.000Z",
"dateUpdated": "2025-04-16T16:18:54.034Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33841 (GCVE-0-2021-33841)
Vulnerability from nvd – Published: 2021-06-09 11:50 – Updated: 2024-09-16 17:59- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| URL | Tags |
|---|---|
| https://www.incibe.es/en/incibe-cert/notices/avis… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| Circutor | SGE-PLC1000 |
Affected:
0.9.2b
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:58:23.191Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/circutor-sge-plc1000-os-command-injection"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SGE-PLC1000",
"vendor": "Circutor",
"versions": [
{
"status": "affected",
"version": "0.9.2b"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Industrial Cybersecurity team of S21sec, special mention to Aar\u00f3n Flecha Men\u00e9ndez."
}
],
"datePublic": "2021-06-07T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SGE-PLC1000 device, in its 0.9.2b firmware version, does not handle some requests correctly, allowing a remote attacker to inject code into the operating system with maximum privileges."
}
],
"value": "SGE-PLC1000 device, in its 0.9.2b firmware version, does not handle some requests correctly, allowing a remote attacker to inject code into the operating system with maximum privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-22T12:26:06.361Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/circutor-sge-plc1000-os-command-injection"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue can be solved through a firmware upgrade that has already been released by the vendor."
}
],
"value": "This issue can be solved through a firmware upgrade that has already been released by the vendor."
}
],
"source": {
"advisory": "INCIBE-2021-0227",
"discovery": "EXTERNAL"
},
"title": "Circutor SGE-PLC1000 OS command Injection",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-coordination@incibe.es",
"DATE_PUBLIC": "2021-06-08T08:00:00.000Z",
"ID": "CVE-2021-33841",
"STATE": "PUBLIC",
"TITLE": "Circutor SGE-PLC1000 OS command Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SGE-PLC1000",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "0.9.2b",
"version_value": "0.9.2b"
}
]
}
}
]
},
"vendor_name": "Circutor"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Industrial Cybersecurity team of S21sec, special mention to Aar\u00f3n Flecha Men\u00e9ndez."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SGE-PLC1000 device, in its 0.9.2b firmware version, does not handle some requests correctly, allowing a remote attacker to inject code into the operating system with maximum privileges."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.incibe-cert.es/en/early-warning/ics-advisories/circutor-sge-plc1000-os-command-injection",
"refsource": "CONFIRM",
"url": "https://www.incibe-cert.es/en/early-warning/ics-advisories/circutor-sge-plc1000-os-command-injection"
}
]
},
"solution": [
{
"lang": "en",
"value": "This issue can be solved through a firmware upgrade that has already been released by the vendor."
}
],
"source": {
"advisory": "INCIBE-2021-0227",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2021-33841",
"datePublished": "2021-06-09T11:50:24.638Z",
"dateReserved": "2021-06-04T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:59:08.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33842 (GCVE-0-2021-33842)
Vulnerability from nvd – Published: 2021-06-09 11:39 – Updated: 2024-09-16 20:01- CWE-565 - Reliance on Cookies without Validation and Integrity Checking
| URL | Tags |
|---|---|
| https://www.incibe.es/en/incibe-cert/notices/avis… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| Circutor | SGE-PLC1000 |
Affected:
0.9.2b
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:58:23.180Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/circutor-sge-plc1000-improper-authentication"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SGE-PLC1000",
"vendor": "Circutor",
"versions": [
{
"status": "affected",
"version": "0.9.2b"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Industrial Cybersecurity team of S21sec, special mention to Aar\u00f3n Flecha Men\u00e9ndez."
}
],
"datePublic": "2021-06-07T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Authentication vulnerability in the cookie parameter of Circutor SGE-PLC1000 firmware version 0.9.2b allows an attacker to perform operations as an authenticated user. In order to exploit this vulnerability, the attacker must be within the network where the device affected is located."
}
],
"value": "Improper Authentication vulnerability in the cookie parameter of Circutor SGE-PLC1000 firmware version 0.9.2b allows an attacker to perform operations as an authenticated user. In order to exploit this vulnerability, the attacker must be within the network where the device affected is located."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-565",
"description": "CWE-565 Reliance on Cookies without Validation and Integrity Checking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-23T13:47:01.158Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/circutor-sge-plc1000-improper-authentication"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue can be solved through a firmware upgrade that has already been released by the vendor."
}
],
"value": "This issue can be solved through a firmware upgrade that has already been released by the vendor."
}
],
"source": {
"advisory": "INCIBE-2021-0228",
"discovery": "EXTERNAL"
},
"title": "Circutor SGE-PLC1000 improper authentication",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-coordination@incibe.es",
"DATE_PUBLIC": "2021-06-08T08:00:00.000Z",
"ID": "CVE-2021-33842",
"STATE": "PUBLIC",
"TITLE": "Circutor SGE-PLC1000 improper authentication"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SGE-PLC1000",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "0.9.2b",
"version_value": "0.9.2b"
}
]
}
}
]
},
"vendor_name": "Circutor"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Industrial Cybersecurity team of S21sec, special mention to Aar\u00f3n Flecha Men\u00e9ndez."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Authentication vulnerability in the cookie parameter of Circutor SGE-PLC1000 firmware version 0.9.2b allows an attacker to perform operations as an authenticated user. In order to exploit this vulnerability, the attacker must be within the network where the device affected is located."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.incibe-cert.es/en/early-warning/ics-advisories/circutor-sge-plc1000-improper-authentication",
"refsource": "CONFIRM",
"url": "https://www.incibe-cert.es/en/early-warning/ics-advisories/circutor-sge-plc1000-improper-authentication"
}
]
},
"solution": [
{
"lang": "en",
"value": "This issue can be solved through a firmware upgrade that has already been released by the vendor."
}
],
"source": {
"advisory": "INCIBE-2021-0228",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2021-33842",
"datePublished": "2021-06-09T11:39:52.302Z",
"dateReserved": "2021-06-04T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:01:18.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-64385 (GCVE-0-2025-64385)
Vulnerability from cvelistv5 – Published: 2025-10-31 14:23 – Updated: 2025-11-03 19:06- CWE-20 - Improper Input Validation
| URL | Tags |
|---|---|
| https://cds.thalesgroup.com/es/s21sec | |
| https://circutor.com/productos/iot-industrial-y-a… | product |
| https://www.hackrtu.com/blog/cg-0day-en-003/ | technical-description |
| Vendor | Product | Version | |
|---|---|---|---|
| Circutor | TCPRS1plus |
Affected:
1.0.14
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64385",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-03T19:06:09.900343Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T19:06:16.313Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "TCPRS1plus",
"vendor": "Circutor",
"versions": [
{
"status": "affected",
"version": "1.0.14"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:circutor:tcprs1plus:1.0.14:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "V\u00edctor Bello Cuevas"
},
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha Men\u00e9ndez"
},
{
"lang": "en",
"type": "coordinator",
"value": "Iv\u00e1n Alonso \u00c1lvarez"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The equipment initially can be configured using the manufacturer\u0027s application, by Wi-Fi, by the web server or with the manufacturer\u2019s software.\u003cbr\u003eUsing the manufacturer\u0027s software, the device can be configured via UDP. Analyzing this communication, it has been observed that any aspect of the initial configuration can be changed by means of the device\u0027s MAC without the need for authentication."
}
],
"value": "The equipment initially can be configured using the manufacturer\u0027s application, by Wi-Fi, by the web server or with the manufacturer\u2019s software.\nUsing the manufacturer\u0027s software, the device can be configured via UDP. Analyzing this communication, it has been observed that any aspect of the initial configuration can be changed by means of the device\u0027s MAC without the need for authentication."
}
],
"impacts": [
{
"capecId": "CAPEC-10",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-10 Buffer Overflow via Environment Variables"
}
]
},
{
"capecId": "CAPEC-101",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-101 Server Side Include (SSI) Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T15:46:13.848Z",
"orgId": "50b5080a-775f-442e-83b5-926b5ca517b6",
"shortName": "S21sec"
},
"references": [
{
"url": "https://cds.thalesgroup.com/es/s21sec"
},
{
"tags": [
"product"
],
"url": "https://circutor.com/productos/iot-industrial-y-automatizacion/conversores-y-pasarelas/product/D80010./"
},
{
"tags": [
"technical-description"
],
"url": "https://www.hackrtu.com/blog/cg-0day-en-003/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This service has been removed in the new version.\u003cbr\u003e"
}
],
"value": "This service has been removed in the new version."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "INCORRECT SECURITY VALIDATION IN SENDING UDP FRAMES",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "50b5080a-775f-442e-83b5-926b5ca517b6",
"assignerShortName": "S21sec",
"cveId": "CVE-2025-64385",
"datePublished": "2025-10-31T14:23:06.442Z",
"dateReserved": "2025-10-31T13:13:35.298Z",
"dateUpdated": "2025-11-03T19:06:16.313Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64389 (GCVE-0-2025-64389)
Vulnerability from cvelistv5 – Published: 2025-10-31 14:19 – Updated: 2025-11-03 19:11- CWE-319 - Cleartext Transmission of Sensitive Information
| URL | Tags |
|---|---|
| https://cds.thalesgroup.com/es/s21sec | |
| https://circutor.com/productos/iot-industrial-y-a… | product |
| https://www.hackrtu.com/blog/cg-0day-en-003/ | technical-description |
| Vendor | Product | Version | |
|---|---|---|---|
| Circutor | TCPRS1plus |
Affected:
1.0.14
(Firmware)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64389",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-03T19:11:35.879313Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T19:11:41.770Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "TCPRS1plus",
"vendor": "Circutor",
"versions": [
{
"status": "affected",
"version": "1.0.14",
"versionType": "Firmware"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:circutor:tcprs1plus:1.0.14:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "V\u00edctor Bello Cuevas"
},
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha Men\u00e9ndez"
},
{
"lang": "en",
"type": "coordinator",
"value": "Iv\u00e1n Alonso \u00c1lvarez"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The web server of the device performs exchanges of sensitive information in clear text through an insecure protocol."
}
],
"value": "The web server of the device performs exchanges of sensitive information in clear text through an insecure protocol."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:L/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T15:45:50.652Z",
"orgId": "50b5080a-775f-442e-83b5-926b5ca517b6",
"shortName": "S21sec"
},
"references": [
{
"url": "https://cds.thalesgroup.com/es/s21sec"
},
{
"tags": [
"product"
],
"url": "https://circutor.com/productos/iot-industrial-y-automatizacion/conversores-y-pasarelas/product/D80010./"
},
{
"tags": [
"technical-description"
],
"url": "https://www.hackrtu.com/blog/cg-0day-en-003/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The new version of the device will use the HTTPS protocol.\n\n\u003cbr\u003e"
}
],
"value": "The new version of the device will use the HTTPS protocol."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "EXCHANGE OF SENSITIVE INFORMATION IN CLEAR TEXT",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "50b5080a-775f-442e-83b5-926b5ca517b6",
"assignerShortName": "S21sec",
"cveId": "CVE-2025-64389",
"datePublished": "2025-10-31T14:19:48.833Z",
"dateReserved": "2025-10-31T13:13:35.299Z",
"dateUpdated": "2025-11-03T19:11:41.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64388 (GCVE-0-2025-64388)
Vulnerability from cvelistv5 – Published: 2025-10-31 14:17 – Updated: 2025-11-03 15:47- CWE-400 - Uncontrolled Resource Consumption
| URL | Tags |
|---|---|
| https://cds.thalesgroup.com/es/s21sec | |
| https://circutor.com/productos/iot-industrial-y-a… | product |
| https://www.hackrtu.com/blog/cg-0day-en-003/ | technical-description |
| Vendor | Product | Version | |
|---|---|---|---|
| Circutor | TCPRS1plus |
Affected:
1.0.14
(Firmware)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64388",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-31T14:41:48.866891Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T14:42:03.941Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "TCPRS1plus",
"vendor": "Circutor",
"versions": [
{
"status": "affected",
"version": "1.0.14",
"versionType": "Firmware"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:circutor:tcprs1plus:1.0.14:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "V\u00edctor Bello Cuevas"
},
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha Men\u00e9ndez"
},
{
"lang": "en",
"type": "coordinator",
"value": "Iv\u00e1n Alonso \u00c1lvarez"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Denial of service of the web server through specific requests to this protocol"
}
],
"value": "Denial of service of the web server through specific requests to this protocol"
}
],
"impacts": [
{
"capecId": "CAPEC-469",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-469 HTTP DoS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T15:47:20.502Z",
"orgId": "50b5080a-775f-442e-83b5-926b5ca517b6",
"shortName": "S21sec"
},
"references": [
{
"url": "https://cds.thalesgroup.com/es/s21sec"
},
{
"tags": [
"product"
],
"url": "https://circutor.com/productos/iot-industrial-y-automatizacion/conversores-y-pasarelas/product/D80010./"
},
{
"tags": [
"technical-description"
],
"url": "https://www.hackrtu.com/blog/cg-0day-en-003/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The new version of the device will use the HTTPS protocol.\u0026nbsp;It is also recommended to deploy it behind a firewall that allows you to prevent this attack.\u003cbr\u003e"
}
],
"value": "The new version of the device will use the HTTPS protocol.\u00a0It is also recommended to deploy it behind a firewall that allows you to prevent this attack."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Denial of service through specific packets",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "50b5080a-775f-442e-83b5-926b5ca517b6",
"assignerShortName": "S21sec",
"cveId": "CVE-2025-64388",
"datePublished": "2025-10-31T14:17:00.827Z",
"dateReserved": "2025-10-31T13:13:35.299Z",
"dateUpdated": "2025-11-03T15:47:20.502Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64387 (GCVE-0-2025-64387)
Vulnerability from cvelistv5 – Published: 2025-10-31 14:12 – Updated: 2025-11-03 15:48- CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
| URL | Tags |
|---|---|
| https://circutor.com/productos/iot-industrial-y-a… | product |
| https://cds.thalesgroup.com/es/s21sec | |
| https://www.hackrtu.com/blog/cg-0day-en-003/ | technical-description |
| Vendor | Product | Version | |
|---|---|---|---|
| Circutor | TCPRS1plus |
Affected:
1.0.14
(Firmware)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64387",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-31T14:38:04.393974Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T14:39:38.610Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "TCPRS1plus",
"vendor": "Circutor",
"versions": [
{
"status": "affected",
"version": "1.0.14",
"versionType": "Firmware"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:circutor:tcprs1plus:1.0.14:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "V\u00edctor Bello Cuevas"
},
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha Men\u00e9ndez"
},
{
"lang": "en",
"type": "coordinator",
"value": "Iv\u00e1n Alonso \u00c1lvarez"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The web application is vulnerable to a so-called \u2018clickjacking\u2019 attack. In this type of attack, the vulnerable page is inserted into a page controlled by the attacker in order to deceive the victim. This deception can range from making the victim click on a button to making them enter their login credentials in a form that, a priori, appears legitimate."
}
],
"value": "The web application is vulnerable to a so-called \u2018clickjacking\u2019 attack. In this type of attack, the vulnerable page is inserted into a page controlled by the attacker in order to deceive the victim. This deception can range from making the victim click on a button to making them enter their login credentials in a form that, a priori, appears legitimate."
}
],
"impacts": [
{
"capecId": "CAPEC-103",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-103 Clickjacking"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1021",
"description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T15:48:02.400Z",
"orgId": "50b5080a-775f-442e-83b5-926b5ca517b6",
"shortName": "S21sec"
},
"references": [
{
"tags": [
"product"
],
"url": "https://circutor.com/productos/iot-industrial-y-automatizacion/conversores-y-pasarelas/product/D80010./"
},
{
"url": "https://cds.thalesgroup.com/es/s21sec"
},
{
"tags": [
"technical-description"
],
"url": "https://www.hackrtu.com/blog/cg-0day-en-003/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The new version of the device will use the HTTPS protocol.\u003cbr\u003e"
}
],
"value": "The new version of the device will use the HTTPS protocol."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CLICKJACKING",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "50b5080a-775f-442e-83b5-926b5ca517b6",
"assignerShortName": "S21sec",
"cveId": "CVE-2025-64387",
"datePublished": "2025-10-31T14:12:55.199Z",
"dateReserved": "2025-10-31T13:13:35.299Z",
"dateUpdated": "2025-11-03T15:48:02.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64386 (GCVE-0-2025-64386)
Vulnerability from cvelistv5 – Published: 2025-10-31 13:42 – Updated: 2025-11-03 15:51- CWE-613 - Insufficient Session Expiration
| URL | Tags |
|---|---|
| https://circutor.com/productos/iot-industrial-y-a… | product |
| https://www.hackrtu.com/blog/cg-0day-en-003/ | technical-description |
| https://cds.thalesgroup.com/es/s21sec-about |
| Vendor | Product | Version | |
|---|---|---|---|
| Circutor | TCPRS1plus |
Affected:
1.0.14
(Firmware)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64386",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-03T14:22:45.570351Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T14:22:50.552Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "TCPRS1plus",
"vendor": "Circutor",
"versions": [
{
"status": "affected",
"version": "1.0.14",
"versionType": "Firmware"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:circutor:tcprs1plus:1.0.14:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "V\u00edctor Bello Cuevas"
},
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha Men\u00e9ndez"
},
{
"lang": "en",
"type": "coordinator",
"value": "Iv\u00e1n Alonso \u00c1lvarez"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u0026nbsp;The\nequipment grants a JWT token for each connection in the timeline, but during an\nactive valid session, a hijacking of the token can be done. This will allow an\nattacker with the token modify parameters of security, access or even steal the\nsession without\nthe legitimate and active session detecting it. The web server allows the\nattacker to reuse an old session JWT token while the legitimate session is\nactive."
}
],
"value": "The\nequipment grants a JWT token for each connection in the timeline, but during an\nactive valid session, a hijacking of the token can be done. This will allow an\nattacker with the token modify parameters of security, access or even steal the\nsession without\nthe legitimate and active session detecting it. The web server allows the\nattacker to reuse an old session JWT token while the legitimate session is\nactive."
}
],
"impacts": [
{
"capecId": "CAPEC-593",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-593 Session Hijacking"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T15:51:03.421Z",
"orgId": "50b5080a-775f-442e-83b5-926b5ca517b6",
"shortName": "S21sec"
},
"references": [
{
"tags": [
"product"
],
"url": "https://circutor.com/productos/iot-industrial-y-automatizacion/conversores-y-pasarelas/product/D80010./"
},
{
"tags": [
"technical-description"
],
"url": "https://www.hackrtu.com/blog/cg-0day-en-003/"
},
{
"url": "https://cds.thalesgroup.com/es/s21sec-about"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HIJACKING OF THE TOKEN AND GAINING ACCESS",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "50b5080a-775f-442e-83b5-926b5ca517b6",
"assignerShortName": "S21sec",
"cveId": "CVE-2025-64386",
"datePublished": "2025-10-31T13:42:32.743Z",
"dateReserved": "2025-10-31T13:13:35.299Z",
"dateUpdated": "2025-11-03T15:51:03.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-8891 (GCVE-0-2024-8891)
Vulnerability from cvelistv5 – Published: 2024-09-18 13:10 – Updated: 2024-09-18 15:28- CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
| Vendor | Product | Version | |
|---|---|---|---|
| CIRCUTOR | CIRCUTOR Q-SMT |
Affected:
1.0.4
(firmware)
|
|
| circutor | circutor_q_smt |
Affected:
1.0.4
cpe:2.3:a:circutor:circutor_q_smt:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:circutor:circutor_q_smt:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "circutor_q_smt",
"vendor": "circutor",
"versions": [
{
"status": "affected",
"version": "1.0.4"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8891",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T15:27:44.779995Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T15:28:30.964Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIRCUTOR Q-SMT",
"vendor": "CIRCUTOR",
"versions": [
{
"status": "affected",
"version": "1.0.4",
"versionType": "firmware"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha"
},
{
"lang": "en",
"type": "finder",
"value": "Gabriel V\u00eda Echezarreta"
}
],
"datePublic": "2024-09-16T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An attacker with no knowledge of the current users in the web application, could build a dictionary of potential users and check the server responses as it indicates whether or not the user is present in CIRCUTOR Q-SMT in its firmware version 1.0.4."
}
],
"value": "An attacker with no knowledge of the current users in the web application, could build a dictionary of potential users and check the server responses as it indicates whether or not the user is present in CIRCUTOR Q-SMT in its firmware version 1.0.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-359",
"description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T13:10:01.274Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CIRCUTOR Q-SMT, in its firmware version 1.0.5, effectively solved the potential threat. CIRCUTOR made the new version available to its customers privately and strongly recommends them to keep their equipment updated."
}
],
"value": "CIRCUTOR Q-SMT, in its firmware version 1.0.5, effectively solved the potential threat. CIRCUTOR made the new version available to its customers privately and strongly recommends them to keep their equipment updated."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Exposure of Private Personal Information to an Unauthorized Actor vulnerability on CIRCUTOR Q-SMT",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-8891",
"datePublished": "2024-09-18T13:10:01.274Z",
"dateReserved": "2024-09-16T10:20:32.471Z",
"dateUpdated": "2024-09-18T15:28:30.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8890 (GCVE-0-2024-8890)
Vulnerability from cvelistv5 – Published: 2024-09-18 13:03 – Updated: 2024-09-18 14:36- CWE-201 - Insertion of Sensitive Information Into Sent Data
| Vendor | Product | Version | |
|---|---|---|---|
| CIRCUTOR | CIRCUTOR Q-SMT |
Affected:
1.0.4
(firmware)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8890",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T14:36:13.020662Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T14:36:22.074Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIRCUTOR Q-SMT",
"vendor": "CIRCUTOR",
"versions": [
{
"status": "affected",
"version": "1.0.4",
"versionType": "firmware"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha"
},
{
"lang": "en",
"type": "finder",
"value": "Gabriel V\u00eda Echezarreta"
}
],
"datePublic": "2024-09-16T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An attacker with access to the network where the CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could obtain legitimate credentials or steal sessions due to the fact that the device only implements the HTTP protocol. This fact prevents a secure communication channel from being established."
}
],
"value": "An attacker with access to the network where the CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could obtain legitimate credentials or steal sessions due to the fact that the device only implements the HTTP protocol. This fact prevents a secure communication channel from being established."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T13:04:13.468Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CIRCUTOR Q-SMT, in its firmware version 1.0.5, effectively solved the potential threat. CIRCUTOR made the new version available to its customers privately and strongly recommends them to keep their equipment updated."
}
],
"value": "CIRCUTOR Q-SMT, in its firmware version 1.0.5, effectively solved the potential threat. CIRCUTOR made the new version available to its customers privately and strongly recommends them to keep their equipment updated."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insertion of Sensitive Information Into Sent Data vulnerability on CIRCUTOR Q-SMT",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-8890",
"datePublished": "2024-09-18T13:03:31.453Z",
"dateReserved": "2024-09-16T10:20:31.758Z",
"dateUpdated": "2024-09-18T14:36:22.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8892 (GCVE-0-2024-8892)
Vulnerability from cvelistv5 – Published: 2024-09-18 12:54 – Updated: 2024-09-18 14:42- CWE-400 - Uncontrolled Resource Consumption
| Vendor | Product | Version | |
|---|---|---|---|
| CIRCUTOR | CIRCUTOR TCP2RS+ |
Affected:
1.3b
(firmware)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8892",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T14:42:36.722963Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T14:42:50.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIRCUTOR TCP2RS+",
"vendor": "CIRCUTOR",
"versions": [
{
"status": "affected",
"version": "1.3b",
"versionType": "firmware"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha"
},
{
"lang": "en",
"type": "finder",
"value": "Javier Fernandez Ber\u00e9"
},
{
"lang": "en",
"type": "finder",
"value": "V\u00edctor Bello Cuevas"
}
],
"datePublic": "2024-09-16T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability in CIRCUTOR TCP2RS+ firmware version 1.3b, which could allow an attacker to modify any configuration value, even if the device has the user/password authentication option enabled, without authentication by sending packets through the UDP protocol and port 2000, deconfiguring the device and thus disabling its use. This equipment is at the end of its useful life cycle."
}
],
"value": "Vulnerability in CIRCUTOR TCP2RS+ firmware version 1.3b, which could allow an attacker to modify any configuration value, even if the device has the user/password authentication option enabled, without authentication by sending packets through the UDP protocol and port 2000, deconfiguring the device and thus disabling its use. This equipment is at the end of its useful life cycle."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T12:54:04.077Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CIRCUTOR TCP2RS+ device firmware version 1.3.b (2017), presents 2 security vulnerabilities exploitable mainly in public communication networks, especially in networks not adequately protected. CIRCUTOR strongly recommends replacing the TCP2RS+ device with the current Line-TCPRS1, both in private and public network environments."
}
],
"value": "CIRCUTOR TCP2RS+ device firmware version 1.3.b (2017), presents 2 security vulnerabilities exploitable mainly in public communication networks, especially in networks not adequately protected. CIRCUTOR strongly recommends replacing the TCP2RS+ device with the current Line-TCPRS1, both in private and public network environments."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Uncontrolled Resource Consumption vulnerability on CIRCUTOR TCP2RS+",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-8892",
"datePublished": "2024-09-18T12:54:04.077Z",
"dateReserved": "2024-09-16T10:20:33.376Z",
"dateUpdated": "2024-09-18T14:42:50.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8889 (GCVE-0-2024-8889)
Vulnerability from cvelistv5 – Published: 2024-09-18 12:00 – Updated: 2024-09-18 13:09- CWE-20 - Improper Input Validation
| Vendor | Product | Version | |
|---|---|---|---|
| CIRCUTOR | CIRCUTOR TCP2RS+ |
Affected:
1.3b
(firmware)
|
|
| circutor | circutor_tcp2rs_plus |
Affected:
1.3b
cpe:2.3:a:circutor:circutor_tcp2rs_plus:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:circutor:circutor_tcp2rs_plus:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "circutor_tcp2rs_plus",
"vendor": "circutor",
"versions": [
{
"status": "affected",
"version": "1.3b"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8889",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T13:02:10.649196Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T13:09:03.920Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIRCUTOR TCP2RS+",
"vendor": "CIRCUTOR",
"versions": [
{
"status": "affected",
"version": "1.3b",
"versionType": "firmware"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha"
},
{
"lang": "en",
"type": "finder",
"value": "Javier Fernandez Ber\u00e9"
},
{
"lang": "en",
"type": "finder",
"value": "V\u00edctor Bello Cuevas"
}
],
"datePublic": "2024-09-16T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability in CIRCUTOR TCP2RS+ firmware version 1.3b, which could allow an attacker to modify any configuration value, even if the device has the user/password authentication option enabled, without authentication by sending packets through the UDP protocol and port 2000, deconfiguring the device and thus disabling its use. This equipment is at the end of its useful life cycle."
}
],
"value": "Vulnerability in CIRCUTOR TCP2RS+ firmware version 1.3b, which could allow an attacker to modify any configuration value, even if the device has the user/password authentication option enabled, without authentication by sending packets through the UDP protocol and port 2000, deconfiguring the device and thus disabling its use. This equipment is at the end of its useful life cycle."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T12:00:11.071Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CIRCUTOR TCP2RS+ device firmware version 1.3.b (2017), presents 2 security vulnerabilities exploitable mainly in public communication networks, especially in networks not adequately protected. CIRCUTOR strongly recommends replacing the TCP2RS+ device with the current Line-TCPRS1, both in private and public network environments."
}
],
"value": "CIRCUTOR TCP2RS+ device firmware version 1.3.b (2017), presents 2 security vulnerabilities exploitable mainly in public communication networks, especially in networks not adequately protected. CIRCUTOR strongly recommends replacing the TCP2RS+ device with the current Line-TCPRS1, both in private and public network environments."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Input Validation vulnerability on CIRCUTOR TCP2RS+",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-8889",
"datePublished": "2024-09-18T12:00:11.071Z",
"dateReserved": "2024-09-16T10:20:30.893Z",
"dateUpdated": "2024-09-18T13:09:03.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8888 (GCVE-0-2024-8888)
Vulnerability from cvelistv5 – Published: 2024-09-18 11:54 – Updated: 2024-09-18 13:14- CWE-613 - Insufficient Session Expiration
| Vendor | Product | Version | |
|---|---|---|---|
| CIRCUTOR | CIRCUTOR Q-SMT |
Affected:
1.0.4
(firmware)
|
|
| circutor | circutor_q_smt |
Affected:
10.4
cpe:2.3:a:circutor:circutor_q_smt:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:circutor:circutor_q_smt:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "circutor_q_smt",
"vendor": "circutor",
"versions": [
{
"status": "affected",
"version": "10.4"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8888",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T13:10:09.717495Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T13:14:00.252Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIRCUTOR Q-SMT",
"vendor": "CIRCUTOR",
"versions": [
{
"status": "affected",
"version": "1.0.4",
"versionType": "firmware"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha"
},
{
"lang": "en",
"type": "finder",
"value": "Gabriel V\u00eda Echezarreta"
}
],
"datePublic": "2024-09-16T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token theft can originate from different methods such as network captures, locally stored web information, etc."
}
],
"value": "An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token theft can originate from different methods such as network captures, locally stored web information, etc."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T11:54:47.337Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CIRCUTOR Q-SMT, in its firmware version 1.0.5, effectively solved the potential threat. CIRCUTOR made the new version available to its customers privately and strongly recommends them to keep their equipment updated."
}
],
"value": "CIRCUTOR Q-SMT, in its firmware version 1.0.5, effectively solved the potential threat. CIRCUTOR made the new version available to its customers privately and strongly recommends them to keep their equipment updated."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insufficient Session Expiration vulnerability on CIRCUTOR Q-SMT",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-8888",
"datePublished": "2024-09-18T11:54:47.337Z",
"dateReserved": "2024-09-16T10:20:29.982Z",
"dateUpdated": "2024-09-18T13:14:00.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8887 (GCVE-0-2024-8887)
Vulnerability from cvelistv5 – Published: 2024-09-18 11:05 – Updated: 2024-09-18 13:26- CWE-1284 - Improper Validation of Specified Quantity in Input
| Vendor | Product | Version | |
|---|---|---|---|
| CIRCUTOR | CIRCUTOR Q-SMT |
Affected:
1.0.4
(firmware)
|
|
| circutor | circutor_q_smt |
Affected:
1.0.4
cpe:2.3:a:circutor:circutor_q_smt:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:circutor:circutor_q_smt:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "circutor_q_smt",
"vendor": "circutor",
"versions": [
{
"status": "affected",
"version": "1.0.4"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8887",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T13:24:41.180459Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T13:26:55.753Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIRCUTOR Q-SMT",
"vendor": "CIRCUTOR",
"versions": [
{
"status": "affected",
"version": "1.0.4",
"versionType": "firmware"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha"
},
{
"lang": "en",
"type": "finder",
"value": "Gabriel V\u00eda Echezarreta"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CIRCUTOR Q-SMT in its firmware version 1.0.4, could be affected by a denial of service (DoS) attack if an attacker with access to the web service bypasses the authentication mechanisms on the login page, allowing the attacker to use all the functionalities implemented at web level that allow interacting with the device."
}
],
"value": "CIRCUTOR Q-SMT in its firmware version 1.0.4, could be affected by a denial of service (DoS) attack if an attacker with access to the web service bypasses the authentication mechanisms on the login page, allowing the attacker to use all the functionalities implemented at web level that allow interacting with the device."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1284",
"description": "CWE-1284 Improper Validation of Specified Quantity in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T11:05:31.015Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CIRCUTOR Q-SMT, in its firmware version 1.0.5, effectively solved the potential threat. CIRCUTOR made the new version available to its customers privately and strongly recommends them to keep their equipment updated."
}
],
"value": "CIRCUTOR Q-SMT, in its firmware version 1.0.5, effectively solved the potential threat. CIRCUTOR made the new version available to its customers privately and strongly recommends them to keep their equipment updated."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Authentication bypass vulnerability on CIRCUTOR Q-SMT",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-8887",
"datePublished": "2024-09-18T11:05:31.015Z",
"dateReserved": "2024-09-16T10:20:28.952Z",
"dateUpdated": "2024-09-18T13:26:55.753Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1669 (GCVE-0-2022-1669)
Vulnerability from cvelistv5 – Published: 2022-05-24 17:38 – Updated: 2025-04-16 16:18- CWE-121 - Stack-based Buffer Overflow
| URL | Tags |
|---|---|
| https://www.cisa.gov/uscert/ics/advisories/icsa-2… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| CIRCUTOR | COMPACT DC-S BASIC |
Affected:
CIR_CDC_v1.2.17
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:03.719Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-137-01"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-1669",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T15:51:49.403979Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T16:18:54.034Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "COMPACT DC-S BASIC",
"vendor": "CIRCUTOR",
"versions": [
{
"status": "affected",
"version": "CIR_CDC_v1.2.17"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Angel Garcia Moreno reported this vulnerability to CISA."
}
],
"datePublic": "2022-05-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A buffer overflow vulnerability has been detected in the firewall function of the device management web portal. The device runs a CGI binary (index.cgi) to offer a management web application. Once authenticated with valid credentials in this web portal, a potential attacker could submit any \"Address\" value and it would be copied to a second variable with a \"strcpy\" vulnerable function without checking its length. Because of this, it is possible to send a long address value to overflow the process stack, controlling the function return address."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-24T17:38:36.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-137-01"
}
],
"source": {
"advisory": "ICSA-22-137-01",
"discovery": "EXTERNAL"
},
"title": "Circutor COMPACT DC-S BASIC",
"workarounds": [
{
"lang": "en",
"value": "Circutor has not responded to requests to work with CISA to mitigate this vulnerability. Users of these affected products are invited to contact Circutor customer support for additional information."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2022-05-17T18:31:00.000Z",
"ID": "CVE-2022-1669",
"STATE": "PUBLIC",
"TITLE": "Circutor COMPACT DC-S BASIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "COMPACT DC-S BASIC",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "CIR_CDC_v1.2.17",
"version_value": "CIR_CDC_v1.2.17"
}
]
}
}
]
},
"vendor_name": "CIRCUTOR"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Angel Garcia Moreno reported this vulnerability to CISA."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A buffer overflow vulnerability has been detected in the firewall function of the device management web portal. The device runs a CGI binary (index.cgi) to offer a management web application. Once authenticated with valid credentials in this web portal, a potential attacker could submit any \"Address\" value and it would be copied to a second variable with a \"strcpy\" vulnerable function without checking its length. Because of this, it is possible to send a long address value to overflow the process stack, controlling the function return address."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-121 Stack-based Buffer Overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-137-01",
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-137-01"
}
]
},
"source": {
"advisory": "ICSA-22-137-01",
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Circutor has not responded to requests to work with CISA to mitigate this vulnerability. Users of these affected products are invited to contact Circutor customer support for additional information."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2022-1669",
"datePublished": "2022-05-24T17:38:36.592Z",
"dateReserved": "2022-05-10T00:00:00.000Z",
"dateUpdated": "2025-04-16T16:18:54.034Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33841 (GCVE-0-2021-33841)
Vulnerability from cvelistv5 – Published: 2021-06-09 11:50 – Updated: 2024-09-16 17:59- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| URL | Tags |
|---|---|
| https://www.incibe.es/en/incibe-cert/notices/avis… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| Circutor | SGE-PLC1000 |
Affected:
0.9.2b
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:58:23.191Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/circutor-sge-plc1000-os-command-injection"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SGE-PLC1000",
"vendor": "Circutor",
"versions": [
{
"status": "affected",
"version": "0.9.2b"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Industrial Cybersecurity team of S21sec, special mention to Aar\u00f3n Flecha Men\u00e9ndez."
}
],
"datePublic": "2021-06-07T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SGE-PLC1000 device, in its 0.9.2b firmware version, does not handle some requests correctly, allowing a remote attacker to inject code into the operating system with maximum privileges."
}
],
"value": "SGE-PLC1000 device, in its 0.9.2b firmware version, does not handle some requests correctly, allowing a remote attacker to inject code into the operating system with maximum privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-22T12:26:06.361Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/circutor-sge-plc1000-os-command-injection"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue can be solved through a firmware upgrade that has already been released by the vendor."
}
],
"value": "This issue can be solved through a firmware upgrade that has already been released by the vendor."
}
],
"source": {
"advisory": "INCIBE-2021-0227",
"discovery": "EXTERNAL"
},
"title": "Circutor SGE-PLC1000 OS command Injection",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-coordination@incibe.es",
"DATE_PUBLIC": "2021-06-08T08:00:00.000Z",
"ID": "CVE-2021-33841",
"STATE": "PUBLIC",
"TITLE": "Circutor SGE-PLC1000 OS command Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SGE-PLC1000",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "0.9.2b",
"version_value": "0.9.2b"
}
]
}
}
]
},
"vendor_name": "Circutor"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Industrial Cybersecurity team of S21sec, special mention to Aar\u00f3n Flecha Men\u00e9ndez."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SGE-PLC1000 device, in its 0.9.2b firmware version, does not handle some requests correctly, allowing a remote attacker to inject code into the operating system with maximum privileges."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.incibe-cert.es/en/early-warning/ics-advisories/circutor-sge-plc1000-os-command-injection",
"refsource": "CONFIRM",
"url": "https://www.incibe-cert.es/en/early-warning/ics-advisories/circutor-sge-plc1000-os-command-injection"
}
]
},
"solution": [
{
"lang": "en",
"value": "This issue can be solved through a firmware upgrade that has already been released by the vendor."
}
],
"source": {
"advisory": "INCIBE-2021-0227",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2021-33841",
"datePublished": "2021-06-09T11:50:24.638Z",
"dateReserved": "2021-06-04T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:59:08.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33842 (GCVE-0-2021-33842)
Vulnerability from cvelistv5 – Published: 2021-06-09 11:39 – Updated: 2024-09-16 20:01- CWE-565 - Reliance on Cookies without Validation and Integrity Checking
| URL | Tags |
|---|---|
| https://www.incibe.es/en/incibe-cert/notices/avis… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| Circutor | SGE-PLC1000 |
Affected:
0.9.2b
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:58:23.180Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/circutor-sge-plc1000-improper-authentication"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SGE-PLC1000",
"vendor": "Circutor",
"versions": [
{
"status": "affected",
"version": "0.9.2b"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Industrial Cybersecurity team of S21sec, special mention to Aar\u00f3n Flecha Men\u00e9ndez."
}
],
"datePublic": "2021-06-07T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Authentication vulnerability in the cookie parameter of Circutor SGE-PLC1000 firmware version 0.9.2b allows an attacker to perform operations as an authenticated user. In order to exploit this vulnerability, the attacker must be within the network where the device affected is located."
}
],
"value": "Improper Authentication vulnerability in the cookie parameter of Circutor SGE-PLC1000 firmware version 0.9.2b allows an attacker to perform operations as an authenticated user. In order to exploit this vulnerability, the attacker must be within the network where the device affected is located."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-565",
"description": "CWE-565 Reliance on Cookies without Validation and Integrity Checking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-23T13:47:01.158Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/circutor-sge-plc1000-improper-authentication"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue can be solved through a firmware upgrade that has already been released by the vendor."
}
],
"value": "This issue can be solved through a firmware upgrade that has already been released by the vendor."
}
],
"source": {
"advisory": "INCIBE-2021-0228",
"discovery": "EXTERNAL"
},
"title": "Circutor SGE-PLC1000 improper authentication",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-coordination@incibe.es",
"DATE_PUBLIC": "2021-06-08T08:00:00.000Z",
"ID": "CVE-2021-33842",
"STATE": "PUBLIC",
"TITLE": "Circutor SGE-PLC1000 improper authentication"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SGE-PLC1000",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "0.9.2b",
"version_value": "0.9.2b"
}
]
}
}
]
},
"vendor_name": "Circutor"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Industrial Cybersecurity team of S21sec, special mention to Aar\u00f3n Flecha Men\u00e9ndez."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Authentication vulnerability in the cookie parameter of Circutor SGE-PLC1000 firmware version 0.9.2b allows an attacker to perform operations as an authenticated user. In order to exploit this vulnerability, the attacker must be within the network where the device affected is located."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.incibe-cert.es/en/early-warning/ics-advisories/circutor-sge-plc1000-improper-authentication",
"refsource": "CONFIRM",
"url": "https://www.incibe-cert.es/en/early-warning/ics-advisories/circutor-sge-plc1000-improper-authentication"
}
]
},
"solution": [
{
"lang": "en",
"value": "This issue can be solved through a firmware upgrade that has already been released by the vendor."
}
],
"source": {
"advisory": "INCIBE-2021-0228",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2021-33842",
"datePublished": "2021-06-09T11:39:52.302Z",
"dateReserved": "2021-06-04T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:01:18.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
VAR-202106-1514
Vulnerability from variot - Updated: 2023-12-18 13:42SGE-PLC1000 device, in its 0.9.2b firmware version, does not handle some requests correctly, allowing a remote attacker to inject code into the operating system with maximum privileges. SGE-PLC1000 The device has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Circutor SGE-PLC1000 is a smart metering system equipment. The main function is to manage the mains power through CIRWATT meters or other meters using PRIME technology.
There is an operating system command injection vulnerability in the Circutor SGE-PLC1000 0.9.2b firmware version
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202106-1514",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "sge-plc1000",
"scope": "eq",
"trust": 1.0,
"vendor": "circutor",
"version": "0.9.2b"
},
{
"model": "sge-plc1000",
"scope": "eq",
"trust": 0.8,
"vendor": "circutor",
"version": "sge-plc1000 firmware 0.9.2b"
},
{
"model": "sge-plc1000",
"scope": "eq",
"trust": 0.8,
"vendor": "circutor",
"version": null
},
{
"model": "sge-plc1000 0.9.2b",
"scope": null,
"trust": 0.6,
"vendor": "circutor",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-61767"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008129"
},
{
"db": "NVD",
"id": "CVE-2021-33841"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:circutor:sge-plc1000_firmware:0.9.2b:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:circutor:sge-plc1000:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-33841"
}
]
},
"cve": "CVE-2021-33841",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 10.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2021-33841",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2021-61767",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "cve-coordination@incibe.es",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2021-33841",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2021-33841",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "cve-coordination@incibe.es",
"id": "CVE-2021-33841",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "CNVD",
"id": "CNVD-2021-61767",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202106-727",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULMON",
"id": "CVE-2021-33841",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-61767"
},
{
"db": "VULMON",
"id": "CVE-2021-33841"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008129"
},
{
"db": "NVD",
"id": "CVE-2021-33841"
},
{
"db": "NVD",
"id": "CVE-2021-33841"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-727"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SGE-PLC1000 device, in its 0.9.2b firmware version, does not handle some requests correctly, allowing a remote attacker to inject code into the operating system with maximum privileges. SGE-PLC1000 The device has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Circutor SGE-PLC1000 is a smart metering system equipment. The main function is to manage the mains power through CIRWATT meters or other meters using PRIME technology. \n\r\n\r\nThere is an operating system command injection vulnerability in the Circutor SGE-PLC1000 0.9.2b firmware version",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-33841"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008129"
},
{
"db": "CNVD",
"id": "CNVD-2021-61767"
},
{
"db": "VULMON",
"id": "CVE-2021-33841"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-33841",
"trust": 3.9
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008129",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2021-61767",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202106-727",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2021-33841",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-61767"
},
{
"db": "VULMON",
"id": "CVE-2021-33841"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008129"
},
{
"db": "NVD",
"id": "CVE-2021-33841"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-727"
}
]
},
"id": "VAR-202106-1514",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-61767"
}
],
"trust": 1.2666667
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-61767"
}
]
},
"last_update_date": "2023-12-18T13:42:32.333000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top\u00a0Page",
"trust": 0.8,
"url": "http://circutor.com/en"
},
{
"title": "Patch for Circutor SGE-PLC1000 operating system command injection vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/285731"
},
{
"title": "Circutor SGE-PLC1000 Fixes for operating system command injection vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=154898"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-61767"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008129"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-727"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "OS Command injection (CWE-78) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-008129"
},
{
"db": "NVD",
"id": "CVE-2021-33841"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.1,
"url": "https://www.incibe-cert.es/en/early-warning/ics-advisories/circutor-sge-plc1000-os-command-injection"
},
{
"trust": 1.0,
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/circutor-sge-plc1000-os-command-injection"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33841"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/78.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-61767"
},
{
"db": "VULMON",
"id": "CVE-2021-33841"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008129"
},
{
"db": "NVD",
"id": "CVE-2021-33841"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-727"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2021-61767"
},
{
"db": "VULMON",
"id": "CVE-2021-33841"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008129"
},
{
"db": "NVD",
"id": "CVE-2021-33841"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-727"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-08-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-61767"
},
{
"date": "2021-06-09T00:00:00",
"db": "VULMON",
"id": "CVE-2021-33841"
},
{
"date": "2022-03-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-008129"
},
{
"date": "2021-06-09T12:15:07.893000",
"db": "NVD",
"id": "CVE-2021-33841"
},
{
"date": "2021-06-09T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202106-727"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-08-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-61767"
},
{
"date": "2021-06-21T00:00:00",
"db": "VULMON",
"id": "CVE-2021-33841"
},
{
"date": "2022-03-04T07:19:00",
"db": "JVNDB",
"id": "JVNDB-2021-008129"
},
{
"date": "2023-11-22T13:15:07.610000",
"db": "NVD",
"id": "CVE-2021-33841"
},
{
"date": "2021-06-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202106-727"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202106-727"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Circutor SGE-PLC1000 operating system command injection vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-61767"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-727"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "operating system commend injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202106-727"
}
],
"trust": 0.6
}
}
VAR-202106-1515
Vulnerability from variot - Updated: 2023-12-18 12:16Improper Authentication vulnerability in the cookie parameter of Circutor SGE-PLC1000 firmware version 0.9.2b allows an attacker to perform operations as an authenticated user. In order to exploit this vulnerability, the attacker must be within the network where the device affected is located. Circutor SGE-PLC1000 There is an authentication vulnerability in the firmware.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Circutor SGE-PLC1000 is a smart metering system equipment. The main function is to manage the mains power through CIRWATT meters or other meters using PRIME technology.
The Circutor SGE-PLC1000 firmware version 0.9.2b has an authorization issue vulnerability
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202106-1515",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "sge-plc1000",
"scope": "eq",
"trust": 1.0,
"vendor": "circutor",
"version": "0.9.2b"
},
{
"model": "sge-plc1000",
"scope": "eq",
"trust": 0.8,
"vendor": "circutor",
"version": "sge-plc1000 firmware 0.9.2b"
},
{
"model": "sge-plc1000",
"scope": "eq",
"trust": 0.8,
"vendor": "circutor",
"version": null
},
{
"model": "sge-plc1000 0.9.2b",
"scope": null,
"trust": 0.6,
"vendor": "circutor",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-61768"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008130"
},
{
"db": "NVD",
"id": "CVE-2021-33842"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:circutor:sge-plc1000_firmware:0.9.2b:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:circutor:sge-plc1000:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-33842"
}
]
},
"cve": "CVE-2021-33842",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.7,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 5.1,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Adjacent Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 7.7,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2021-33842",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "SINGLE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.7,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 5.1,
"id": "CNVD-2021-61768",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 2.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Adjacent Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2021-33842",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2021-33842",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "cve-coordination@incibe.es",
"id": "CVE-2021-33842",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2021-61768",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202106-728",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-61768"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008130"
},
{
"db": "NVD",
"id": "CVE-2021-33842"
},
{
"db": "NVD",
"id": "CVE-2021-33842"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-728"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Improper Authentication vulnerability in the cookie parameter of Circutor SGE-PLC1000 firmware version 0.9.2b allows an attacker to perform operations as an authenticated user. In order to exploit this vulnerability, the attacker must be within the network where the device affected is located. Circutor SGE-PLC1000 There is an authentication vulnerability in the firmware.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Circutor SGE-PLC1000 is a smart metering system equipment. The main function is to manage the mains power through CIRWATT meters or other meters using PRIME technology. \n\r\n\r\nThe Circutor SGE-PLC1000 firmware version 0.9.2b has an authorization issue vulnerability",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-33842"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008130"
},
{
"db": "CNVD",
"id": "CNVD-2021-61768"
}
],
"trust": 2.16
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-33842",
"trust": 3.8
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008130",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2021-61768",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202106-728",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-61768"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008130"
},
{
"db": "NVD",
"id": "CVE-2021-33842"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-728"
}
]
},
"id": "VAR-202106-1515",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-61768"
}
],
"trust": 1.2666667
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-61768"
}
]
},
"last_update_date": "2023-12-18T12:16:22.227000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top\u00a0Page",
"trust": 0.8,
"url": "http://circutor.com/en"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-008130"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-565",
"trust": 1.0
},
{
"problemtype": "Improper authentication (CWE-287) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-008130"
},
{
"db": "NVD",
"id": "CVE-2021-33842"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.0,
"url": "https://www.incibe-cert.es/en/early-warning/ics-advisories/circutor-sge-plc1000-improper-authentication"
},
{
"trust": 1.0,
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/circutor-sge-plc1000-improper-authentication"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33842"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-61768"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008130"
},
{
"db": "NVD",
"id": "CVE-2021-33842"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-728"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2021-61768"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008130"
},
{
"db": "NVD",
"id": "CVE-2021-33842"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-728"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-08-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-61768"
},
{
"date": "2022-03-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-008130"
},
{
"date": "2021-06-09T12:15:07.957000",
"db": "NVD",
"id": "CVE-2021-33842"
},
{
"date": "2021-06-09T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202106-728"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-08-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-61768"
},
{
"date": "2022-03-04T07:19:00",
"db": "JVNDB",
"id": "JVNDB-2021-008130"
},
{
"date": "2023-11-23T14:15:07.440000",
"db": "NVD",
"id": "CVE-2021-33842"
},
{
"date": "2022-10-26T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202106-728"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote or local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202106-728"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Circutor\u00a0SGE-PLC1000\u00a0 Firmware authentication vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-008130"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "authorization issue",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202106-728"
}
],
"trust": 0.6
}
}