Common Weakness Enumeration

CWE-424

Allowed-with-Review

Improper Protection of Alternate Path

Abstraction: Class · Status: Draft

The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.

61 vulnerabilities reference this CWE, most recent first.

CVE-2026-54423 (GCVE-0-2026-54423)

Vulnerability from cvelistv5 – Published: 2026-07-10 03:10 – Updated: 2026-07-10 15:25
VLAI
Summary
In OpenStack Ironic before 37.0.1, an Ironic user with the ability to deploy nodes using the IPMI management interface can maliciously use the send_raw step to send arbitrary IPMI commands to a node, bypassing Ironic's access control.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-424 - Improper Protection of Alternate Path
Assigner
Impacted products
Vendor Product Version
OpenStack Ironic Affected: 22.1.0 , < 29.0.6 (semver)
Affected: 30.0.0 , < 32.0.2 (semver)
Affected: 32.0.0 , < 35.0.2 (semver)
Affected: 36.0.0 , < 37.0.1 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-07-10T05:23:01.821Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/07/08/3"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54423",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-10T15:25:51.179224Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-10T15:25:59.292Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "ipmi"
          ],
          "product": "Ironic",
          "vendor": "OpenStack",
          "versions": [
            {
              "lessThan": "29.0.6",
              "status": "affected",
              "version": "22.1.0",
              "versionType": "semver"
            },
            {
              "lessThan": "32.0.2",
              "status": "affected",
              "version": "30.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "35.0.2",
              "status": "affected",
              "version": "32.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "37.0.1",
              "status": "affected",
              "version": "36.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "29.0.6",
                  "versionStartIncluding": "22.1.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "32.0.2",
                  "versionStartIncluding": "30.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "35.0.2",
                  "versionStartIncluding": "32.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "37.0.1",
                  "versionStartIncluding": "36.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In OpenStack Ironic before 37.0.1, an Ironic user with the ability to deploy nodes using the IPMI management interface can maliciously use the send_raw step to send arbitrary IPMI commands to a node, bypassing Ironic\u0027s access control."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-424",
              "description": "CWE-424 Improper Protection of Alternate Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-10T03:10:54.638Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://bugs.launchpad.net/ironic/+bug/2150458"
        },
        {
          "url": "https://security.openstack.org/ossa/OSSA-2026-025.html"
        }
      ],
      "x_generator": {
        "engine": "CVE-Request-form 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2026-54423",
    "datePublished": "2026-07-10T03:10:54.638Z",
    "dateReserved": "2026-06-14T04:04:35.484Z",
    "dateUpdated": "2026-07-10T15:25:59.292Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4913 (GCVE-0-2026-4913)

Vulnerability from cvelistv5 – Published: 2026-04-14 14:10 – Updated: 2026-04-14 15:07
VLAI
Summary
Improper protection of an alternate path in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to retain access when their account has been disabled.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-424 - Improper Protection of Alternate Path
Assigner
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-4913",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-14T15:07:39.450225Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-14T15:07:48.368Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Neurons for ITSM (On-Premise)",
          "vendor": "Ivanti",
          "versions": [
            {
              "status": "unaffected",
              "version": "2025.4"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Neurons for ITSM (Cloud)",
          "vendor": "Ivanti",
          "versions": [
            {
              "status": "unaffected",
              "version": "2025.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper protection of an alternate path\u0026nbsp;in\u0026nbsp;Ivanti\u0026nbsp;N-ITSM\u0026nbsp;before\u0026nbsp;version 2025.4\u0026nbsp;allows a\u0026nbsp;remote authenticated\u0026nbsp;attacker to\u0026nbsp;retain access when their account has been\u0026nbsp;disabled.\u0026nbsp;\u0026nbsp;"
            }
          ],
          "value": "Improper protection of an alternate path\u00a0in\u00a0Ivanti\u00a0N-ITSM\u00a0before\u00a0version 2025.4\u00a0allows a\u00a0remote authenticated\u00a0attacker to\u00a0retain access when their account has been\u00a0disabled."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-554",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-554 Functionality Bypass"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-424",
              "description": "CWE-424: Improper Protection of Alternate Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-14T14:10:37.405Z",
        "orgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
        "shortName": "ivanti"
      },
      "references": [
        {
          "url": "https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-CVE-2026-4913-CVE-2026-4914?language=en_US"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
    "assignerShortName": "ivanti",
    "cveId": "CVE-2026-4913",
    "datePublished": "2026-04-14T14:10:30.529Z",
    "dateReserved": "2026-03-26T16:37:44.109Z",
    "dateUpdated": "2026-04-14T15:07:48.368Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4270 (GCVE-0-2026-4270)

Vulnerability from cvelistv5 – Published: 2026-03-16 16:07 – Updated: 2026-03-16 18:17
VLAI
Title
AWS API MCP File Access Restriction Bypass
Summary
Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions >= 0.2.14 and < 1.3.9 on all platforms may allow the bypass of intended file access restriction and expose arbitrary local file contents in the MCP client application context. To remediate this issue, users should upgrade to version 1.3.9.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-424 - Improper Protection of Alternate Path
Assigner
Impacted products
Vendor Product Version
AWS AWS API MCP Server Affected: 0.2.14 , < 1.3.9 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-4270",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-16T18:17:07.044936Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-16T18:17:17.927Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "AWS API MCP Server",
          "vendor": "AWS",
          "versions": [
            {
              "lessThan": "1.3.9",
              "status": "affected",
              "version": "0.2.14",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Protection of Alternate Path exists in the \u003ccode\u003eno-access\u003c/code\u003e and \u003ccode\u003eworkdir\u003c/code\u003e feature of the AWS API MCP Server versions \u0026gt;= 0.2.14 and \u0026lt; 1.3.9 on all platforms may allow the bypass of intended file access restriction and expose arbitrary local file contents in the MCP client application context.\u003c/p\u003e\u003cp\u003eTo remediate this issue, users should upgrade to version 1.3.9.\u003c/p\u003e"
            }
          ],
          "value": "Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions \u003e= 0.2.14 and \u003c 1.3.9 on all platforms may allow the bypass of intended file access restriction and expose arbitrary local file contents in the MCP client application context.\n\nTo remediate this issue, users should upgrade to version 1.3.9."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-6",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-6 Argument Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-424",
              "description": "CWE-424: Improper Protection of Alternate Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-16T16:17:11.659Z",
        "orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
        "shortName": "AMZN"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://aws.amazon.com/security/security-bulletins/2026-007-AWS/"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://pypi.org/project/awslabs.aws-api-mcp-server/1.3.9/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "AWS API MCP File Access Restriction Bypass",
      "x_generator": {
        "engine": "Vulnogram 1.0.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
    "assignerShortName": "AMZN",
    "cveId": "CVE-2026-4270",
    "datePublished": "2026-03-16T16:07:53.324Z",
    "dateReserved": "2026-03-16T14:28:58.998Z",
    "dateUpdated": "2026-03-16T18:17:17.927Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-0268 (GCVE-0-2026-0268)

Vulnerability from cvelistv5 – Published: 2026-06-10 20:40 – Updated: 2026-06-11 13:57
VLAI
Title
Prisma Access Agent: Local Authenticated VPN Enforcement Bypass on Linux
Summary
A security control bypass vulnerability in Prisma Access Agent for Linux allows a local attacker to route network traffic outside the VPN tunnel. This does not impact Prisma Access Agent on Windows, macOS, iOS, Android, or ChromeOS.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-424 - Improper Protection of Alternate Path
Assigner
References
Impacted products
Date Public
2026-06-10 16:00
Credits
our internal security research teams
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-0268",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-11T13:57:46.995690Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-11T13:57:54.692Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux"
          ],
          "product": "Prisma Access Agent",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "changes": [
                {
                  "at": "26.2.1",
                  "status": "unaffected"
                }
              ],
              "lessThan": "26.2.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows",
            "macOS",
            "iOS",
            "Android",
            "Chrome OS"
          ],
          "product": "Prisma Access Agent",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "All",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "eng",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "No special configuration is required."
            }
          ],
          "value": "No special configuration is required."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:palo_alto_networks:prisma_access_agent:*:*:*:*:*:Linux:*:*",
                  "versionEndExcluding": "26.2.1",
                  "versionStartIncluding": "26.2.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "our internal security research teams"
        }
      ],
      "datePublic": "2026-06-10T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003cspan\u003eA security control bypass vulnerability in Prisma Access Agent for Linux allows a local attacker to route network traffic outside the VPN tunnel.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan\u003eThis does not impact Prisma Access Agent on Windows, macOS, iOS, Android, or ChromeOS.\u003c/span\u003e\u003c/p\u003e"
            }
          ],
          "value": "A security control bypass vulnerability in Prisma Access Agent for Linux allows a local attacker to route network traffic outside the VPN tunnel.\n\n\n\nThis does not impact Prisma Access Agent on Windows, macOS, iOS, Android, or ChromeOS."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
            }
          ],
          "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "USER",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "UNREPORTED",
            "privilegesRequired": "LOW",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "DIFFUSE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-424",
              "description": "CWE-424 Improper Protection of Alternate Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T20:40:11.198Z",
        "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
        "shortName": "palo_alto"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.paloaltonetworks.com/CVE-2026-0268"
        }
      ],
      "solutions": [
        {
          "lang": "eng",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003ctable class=\"tbl\"\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003cbr\u003e\u003c/th\u003e\u003cth\u003eMinor Version\u003cbr\u003e\u003c/th\u003e\u003cth\u003eSuggested Solution\u003cbr\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\n                                    \u003ctd\u003ePrisma Access Agent   on Linux\u003cbr\u003e\u003c/td\u003e\n                                    \u003ctd\u003e25.7 through 26.2.0\u003c/td\u003e\n                                    \u003ctd\u003eUpgrade to 26.2.1 or later.\u003c/td\u003e\n                                \u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePrisma Access Agent All on Windows\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePrisma Access Agent All on macOS\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePrisma Access Agent All on iOS\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePrisma Access Agent All on Android\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePrisma Access Agent All on Chrome OS\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"
            }
          ],
          "value": "VERSION                                MINOR VERSION         SUGGESTED SOLUTION\nPrisma Access Agent on Linux           25.7 through 26.2.0   Upgrade to 26.2.1 or later.\nPrisma Access Agent All on Windows                           No action needed.\nPrisma Access Agent All on macOS                             No action needed.\nPrisma Access Agent All on iOS                               No action needed.\nPrisma Access Agent All on Android                           No action needed.\nPrisma Access Agent All on Chrome OS                         No action needed."
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-10T16:00:00.000Z",
          "value": "Initial publication."
        }
      ],
      "title": "Prisma Access Agent: Local Authenticated VPN Enforcement Bypass on Linux",
      "workarounds": [
        {
          "lang": "eng",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "There are no known workarounds for this issue."
            }
          ],
          "value": "There are no known workarounds for this issue."
        }
      ],
      "x_affectedList": [
        "Prisma Access Agent   26.2.0"
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
    "assignerShortName": "palo_alto",
    "cveId": "CVE-2026-0268",
    "datePublished": "2026-06-10T20:40:11.198Z",
    "dateReserved": "2025-11-03T20:44:28.362Z",
    "dateUpdated": "2026-06-11T13:57:54.692Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-0237 (GCVE-0-2026-0237)

Vulnerability from cvelistv5 – Published: 2026-05-13 17:48 – Updated: 2026-05-14 03:56
VLAI
Title
Prisma Browser: Improperly Restricted Automation Bridge Allows Security Bypass
Summary
An improper protection of alternate path vulnerability in Palo Alto Networks Prisma® Browser on macOS fails to properly restrict access to an internal automation bridge. This allows a locally authenticated non-admin user to leverage an exposed communication channel to send unauthorized commands to the browser, bypassing security controls.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-424 - Improper Protection of Alternate Path
Assigner
References
Impacted products
Vendor Product Version
Palo Alto Networks Prisma Browser Affected: 0 , < 146.16.6.165 (custom)
Create a notification for this product.
Date Public
2026-05-13 16:00
Credits
Cisors
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-0237",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T03:56:35.801Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Prisma Browser",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "changes": [
                {
                  "at": "146.16.6.165",
                  "status": "unaffected"
                }
              ],
              "lessThan": "146.16.6.165",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "No special configuration is required to be affected by this issue."
            }
          ],
          "value": "No special configuration is required to be affected by this issue."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:palo_alto_networks:prisma_browser:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "146.16.6.165",
                  "versionStartIncluding": "146.16.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Cisors"
        }
      ],
      "datePublic": "2026-05-13T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An improper protection of alternate path vulnerability in Palo Alto Networks Prisma\u00ae Browser on macOS fails to properly restrict access to an internal automation bridge. This allows a locally authenticated non-admin user to leverage an exposed communication channel to send unauthorized commands to the browser, bypassing security controls."
            }
          ],
          "value": "An improper protection of alternate path vulnerability in Palo Alto Networks Prisma\u00ae Browser on macOS fails to properly restrict access to an internal automation bridge. This allows a locally authenticated non-admin user to leverage an exposed communication channel to send unauthorized commands to the browser, bypassing security controls."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
            }
          ],
          "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-121",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-121 Exploit Non-Production Interfaces"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "USER",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "DIFFUSE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/R:U/V:D/RE:M/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-424",
              "description": "CWE-424: Improper Protection of Alternate Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T17:48:17.677Z",
        "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
        "shortName": "palo_alto"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.paloaltonetworks.com/CVE-2026-0237"
        }
      ],
      "solutions": [
        {
          "lang": "eng",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003ctable class=\"tbl\"\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003cbr\u003e\u003c/th\u003e\u003cth\u003eSuggested Solution\u003cbr\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\n                                \u003ctd\u003ePrisma Browser\u003cbr\u003e\u003c/td\u003e\n                                \n                                \u003ctd\u003eUpgrade to 146.16.6.165 or later.\u003c/td\u003e\n                            \u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"
            }
          ],
          "value": "VERSION          SUGGESTED SOLUTION\nPrisma Browser   Upgrade to 146.16.6.165 or later."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-13T16:00:00.000Z",
          "value": "Initial publication."
        }
      ],
      "title": "Prisma Browser: Improperly Restricted Automation Bridge Allows Security Bypass",
      "workarounds": [
        {
          "lang": "eng",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "No known workarounds exist for this issue."
            }
          ],
          "value": "No known workarounds exist for this issue."
        }
      ],
      "x_affectedList": [
        "Prisma Browser 146.16.0",
        "Prisma Browser 146.16.1",
        "Prisma Browser 146.16.2",
        "Prisma Browser 146.16.3",
        "Prisma Browser 146.16.4",
        "Prisma Browser 146.16.5"
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
    "assignerShortName": "palo_alto",
    "cveId": "CVE-2026-0237",
    "datePublished": "2026-05-13T17:48:17.677Z",
    "dateReserved": "2025-11-03T20:43:58.032Z",
    "dateUpdated": "2026-05-14T03:56:35.801Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68939 (GCVE-0-2025-68939)

Vulnerability from cvelistv5 – Published: 2025-12-26 02:03 – Updated: 2025-12-26 18:57
VLAI
Summary
Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-424 - Improper Protection of Alternate Path
Assigner
Impacted products
Vendor Product Version
Gitea Gitea Affected: 0 , < 1.23.0 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-68939",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-26T14:40:06.574200Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-26T14:51:01.455Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:golang/code.gitea.io/gitea",
          "product": "Gitea",
          "vendor": "Gitea",
          "versions": [
            {
              "lessThan": "1.23.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.23.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-424",
              "description": "CWE-424 Improper Protection of Alternate Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-26T18:57:27.065Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://blog.gitea.com/release-of-1.23.0/"
        },
        {
          "url": "https://github.com/go-gitea/gitea/releases/tag/v1.23.0"
        },
        {
          "url": "https://github.com/go-gitea/gitea/pull/32151"
        }
      ],
      "x_generator": {
        "engine": "CVE-Request-form 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-68939",
    "datePublished": "2025-12-26T02:03:59.691Z",
    "dateReserved": "2025-12-26T02:03:59.388Z",
    "dateUpdated": "2025-12-26T18:57:27.065Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-58079 (GCVE-0-2025-58079)

Vulnerability from cvelistv5 – Published: 2025-10-16 10:03 – Updated: 2025-10-16 13:41
VLAI
Summary
Improper Protection of Alternate Path (CWE-424) in the AppSuite of desknet's NEO V4.0R1.0 to V9.0R2.0 allows an attacker to create malicious AppSuite applications.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-424 - Improper Protection of Alternate Path
Assigner
Impacted products
Vendor Product Version
NEOJAPAN Inc. desknet's NEO Affected: V4.0R1.0 to V9.0R2.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-58079",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-16T13:40:00.719482Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-16T13:41:37.399Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "desknet\u0027s NEO",
          "vendor": "NEOJAPAN Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "V4.0R1.0 to V9.0R2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Improper Protection of Alternate Path (CWE-424) in the AppSuite of desknet\u0027s NEO V4.0R1.0 to V9.0R2.0 allows an attacker to create malicious AppSuite applications."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-424",
              "description": "Improper Protection of Alternate Path",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-16T10:03:35.640Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://www.desknets.com/neo/support/mainte/17475/"
        },
        {
          "url": "https://jvn.jp/en/jp/JVN90757550/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2025-58079",
    "datePublished": "2025-10-16T10:03:35.640Z",
    "dateReserved": "2025-09-01T11:21:48.364Z",
    "dateUpdated": "2025-10-16T13:41:37.399Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49163 (GCVE-0-2025-49163)

Vulnerability from cvelistv5 – Published: 2025-06-02 00:00 – Updated: 2025-06-03 01:56
VLAI
Summary
Arris VIP1113 devices through 2025-05-30 with KreaTV SDK allow booting an arbitrary image via a crafted /usr/bin/gunzip file.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-424 - Improper Protection of Alternate Path
Assigner
Impacted products
Vendor Product Version
Arris VIP1113 Affected: 0 , ≤ 2025-05-30 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49163",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-03T01:56:09.258016Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-03T01:56:51.541Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "VIP1113",
          "vendor": "Arris",
          "versions": [
            {
              "lessThanOrEqual": "2025-05-30",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Arris VIP1113 devices through 2025-05-30 with KreaTV SDK allow booting an arbitrary image via a crafted /usr/bin/gunzip file."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-424",
              "description": "CWE-424 Improper Protection of Alternate Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-02T23:40:23.834Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://full-disclosure.eu/reports/2025/FDEU-CVE-2025-1c00-arris-bootloader-shell-injection.html"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-49163",
    "datePublished": "2025-06-02T00:00:00.000Z",
    "dateReserved": "2025-06-02T00:00:00.000Z",
    "dateUpdated": "2025-06-03T01:56:51.541Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49162 (GCVE-0-2025-49162)

Vulnerability from cvelistv5 – Published: 2025-06-02 00:00 – Updated: 2025-06-03 01:54
VLAI
Summary
Arris VIP1113 devices through 2025-05-30 with KreaTV SDK allow file overwrite via TFTP because a remote filename with a space character allows an attacker to control the local filename.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-424 - Improper Protection of Alternate Path
Assigner
Impacted products
Vendor Product Version
Arris VIP1113 Affected: 0 , ≤ 2025-05-30 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49162",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-03T01:54:04.235767Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-03T01:54:29.878Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "VIP1113",
          "vendor": "Arris",
          "versions": [
            {
              "lessThanOrEqual": "2025-05-30",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Arris VIP1113 devices through 2025-05-30 with KreaTV SDK allow file overwrite via TFTP because a remote filename with a space character allows an attacker to control the local filename."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-424",
              "description": "CWE-424 Improper Protection of Alternate Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-02T23:39:01.508Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://full-disclosure.eu/reports/2025/FDEU-CVE-2025-1c00-arris-bootloader-shell-injection.html"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-49162",
    "datePublished": "2025-06-02T00:00:00.000Z",
    "dateReserved": "2025-06-02T00:00:00.000Z",
    "dateUpdated": "2025-06-03T01:54:29.878Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-48828 (GCVE-0-2025-48828)

Vulnerability from cvelistv5 – Published: 2025-05-27 00:00 – Updated: 2025-05-27 18:04
VLAI
Summary
Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-424 - Improper Protection of Alternate Path
Assigner
Impacted products
Vendor Product Version
vBulletin vBulletin Affected: 6.0.3 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-48828",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-27T18:04:12.683454Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-27T18:04:16.774Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://blog.kevintel.com/vbulletin-replaceadtemplate-kev/"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "vBulletin",
          "vendor": "vBulletin",
          "versions": [
            {
              "status": "affected",
              "version": "6.0.3",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:vbulletin:vbulletin:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "6.0.3",
                  "versionStartIncluding": "6.0.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the \"var_dump\"(\"test\") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-424",
              "description": "CWE-424 Improper Protection of Alternate Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-27T12:50:18.248Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce"
        },
        {
          "url": "https://kevintel.com/CVE-2025-48828"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-48828",
    "datePublished": "2025-05-27T00:00:00.000Z",
    "dateReserved": "2025-05-27T00:00:00.000Z",
    "dateUpdated": "2025-05-27T18:04:16.774Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation
Architecture and Design

Deploy different layers of protection to implement security in depth.

CAPEC-127: Directory Indexing

An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.

CAPEC-554: Functionality Bypass

An adversary attacks a system by bypassing some or all functionality intended to protect it. Often, a system user will think that protection is in place, but the functionality behind those protections has been disabled by the adversary.