HP published an advisory for three vulnerabilities in its Device Manager software, which lets IT admins remotely manage HP thin clients. CVEs included in the advisory are CVE-2020-6925 (weak cipher), CVE-2020-6926 (remote method invocation), and CVE-2020-6927 (local privilege escalation). Some of these vulnerabilities can be chained together to allow an unauthenticated, remote attacker to gain local SYSTEM privileges on a vulnerable target.
HP advisory: https://support.hp.com/us-en/document/c06921908
Disclosure Date: April 09, 2019 (last updated February 21, 2020)
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0797.
Disclosure Date: February 20, 2020 (last updated October 06, 2023)
A vulnerability in the High Availability (HA) service of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to access a sensitive part of the system with a high-privileged account. The vulnerability is due to a system account that has a default and static password and is not under the control of the system administrator. An attacker could exploit this vulnerability by using this default account to connect to the affected system. A successful exploit could allow the attacker to obtain read and write access to system data, including the configuration of an affected device. The attacker would gain access to a sensitive portion of the system, but the attacker would not have full administrative rights to control the device.
Disclosure Date: October 25, 2023 (last updated November 07, 2023)
A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands with the privileges of root. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web UI. A successful exploit could allow the attacker to inject commands to the underlying operating system with root privileges.
Disclosure Date: April 27, 2023 (last updated October 08, 2023)
The sensitive information exposure vulnerability in the CGI “Export_Log” and the binary “zcmd” in Zyxel DX5401-B0 firmware versions prior to V5.17(ABYO.1)C0 could allow a remote unauthenticated attacker to read the system files and to retrieve the password of the supervisor from the encrypted file.
Multiple Zyxel devices are prone to different critical vulnerabilities resulting from insecure coding practices and insecure configuration.
Besides the unauthenticated buffer overflow in the `zhttpd` webserver, two other vulnerabilities, the unauthenticated local file disclosure (LFI) in combination with a weak password derivation algorithm for user supervisor can be used to establish an unauthenticated RCE.
The remote code execution (RCE) vulnerability can be exploited by chaining the local file disclosure (LFI) vulnerability in the `zhttpd` binary that allows an unauthenticated attacker to read the entire configuration of the router via the vulnerable endpoint `/Export_Log?/data/zcfg_config.json`.
With this information disclosure, the attacker can determine if the router is reachable via SSH and use the second vulnerability in the `zcmd` binary to derive the supervisor password by exploiting a weak password derivation algorithm using the device serial number.
Disclosure Date: April 08, 2020 (last updated October 06, 2023)
Secdo tries to execute a script at a hardcoded path if present, which allows a local authenticated user with 'create folders or append data' access to the root of the OS disk (C:\) to gain system privileges if the path does not already exist or is writable. This issue affects all versions of Secdo for Windows.
Disclosure Date: March 09, 2020 (last updated October 06, 2023)