Executive Summary:
A high-severity vulnerability has been identified in multiple Power products, specifically affecting the Dynojet Power Core 2 software. Successful exploitation could allow a remote attacker to compromise the application, potentially leading to unauthorized code execution, data theft, or system manipulation. Organizations are urged to apply vendor patches immediately to mitigate the significant risk posed by this flaw.

Vulnerability Details

CVE-ID: CVE-2021-47773

Affected Software: Power Multiple Products

Affected Versions: See vendor advisory for specific affected versions

Vulnerability: This vulnerability exists within a network-accessible component of the Dynojet Power Core 2 software. A flaw in the way the application handles user-supplied input allows a remote, unauthenticated attacker to send a specially crafted request to the affected system. Successful exploitation of this flaw could result in arbitrary code execution on the underlying server with the privileges of the application's service account, leading to a full system compromise.

Business Impact

This vulnerability is rated as High severity with a CVSS score of 7.8. Exploitation could have a significant negative impact on business operations. An attacker who successfully leverages this vulnerability could gain control over the affected system, allowing them to steal sensitive data (such as customer information or proprietary tuning files), install malware or ransomware, disrupt service availability, or use the compromised machine as a pivot point to attack other systems within the corporate network. This poses a direct risk to data confidentiality, integrity, and availability.

Remediation Plan

Immediate Action: Apply the security updates released by the vendor immediately to mitigate this vulnerability. Additionally, system administrators should actively monitor for any signs of exploitation attempts and conduct a thorough review of relevant application and system access logs for any suspicious activity that occurred prior to patch application.

Proactive Monitoring: Monitor network traffic for unusual connections or malformed packets targeting the ports used by the Dynojet Power Core 2 software. Review application logs for unexpected errors or crashes, and system logs for suspicious processes being spawned by the application. Implement Intrusion Detection System (IDS) signatures to detect and alert on traffic patterns matching potential exploit attempts.

Compensating Controls: If immediate patching is not feasible, restrict network access to the vulnerable services using a host-based or network firewall. Limit access to only trusted IP addresses or internal network segments to reduce the attack surface. Consider running the application in an isolated or containerized environment to limit the impact of a potential compromise.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of January 16, 2026, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, due to the high severity rating and the potential for remote code execution, it is highly probable that threat actors will analyze the patch and develop a working exploit in the near future.

Analyst Recommendation

Given the high severity (CVSS 7.8) of this vulnerability and its potential for remote code execution, we strongly recommend that all organizations using the affected Power products apply the vendor-supplied patches on an emergency basis. Although this vulnerability is not currently listed on the CISA KEV catalog, its severity makes it a prime target for future exploitation. Prioritize patching systems that are accessible from less trusted networks and follow the provided monitoring guidance to ensure the security of your environment.

Executive Summary:
A high-severity vulnerability has been identified in OpenPLC v3, allowing a logged-in attacker to execute arbitrary code on the system. Successful exploitation could lead to a complete compromise of the affected industrial control system, potentially disrupting physical processes, causing operational downtime, and introducing significant safety risks.

Vulnerability Details

CVE-ID: CVE-2021-47770

Affected Software: OpenPLC Multiple Products

Affected Versions: OpenPLC v3. See vendor advisory for specific affected versions.

Vulnerability: This vulnerability is an authenticated remote code execution (RCE) flaw within the hardware configuration interface of OpenPLC v3. An attacker who has successfully authenticated to the system with sufficient privileges can inject malicious code or system commands into the configuration fields. Due to insufficient input validation and sanitization, this injected code is then executed with the privileges of the OpenPLC application, granting the attacker control over the underlying operating system.

Business Impact

This is a High severity vulnerability with a CVSS score of 8.8. A successful exploit could result in the complete compromise of the OpenPLC system, granting an attacker full control over the connected industrial control processes. Potential consequences include manipulation of physical equipment, unauthorized process shutdowns, operational downtime, potential physical damage, and significant safety risks. The requirement for authentication reduces the risk from unauthenticated attackers, but the vulnerability remains critical if an attacker gains credentials through other means, such as phishing or password reuse.

Remediation Plan

Immediate Action: Apply security patches provided by the vendor immediately, prioritizing any internet-facing systems. After patching, review system and access logs for any signs of compromise that may have occurred prior to remediation.

Proactive Monitoring: Monitor application and system logs for unusual or malformed entries related to the hardware configuration interface. Scrutinize network traffic for unexpected outbound connections from the OpenPLC host, which could indicate a reverse shell or data exfiltration. Implement alerts for logins from suspicious IP addresses or outside of normal business hours.

Compensating Controls: If patching is not immediately possible, implement the following controls:

• Restrict administrative access to the OpenPLC interface to a minimal number of trusted personnel.
• Implement network segmentation to isolate the OpenPLC host from untrusted networks, including the corporate IT network and the internet.
• Enforce multi-factor authentication (MFA) on all OpenPLC accounts to make it more difficult for an attacker to obtain valid credentials.
• Deploy a Web Application Firewall (WAF) to inspect and filter traffic to the web interface, potentially blocking malicious injection attempts.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of January 23, 2026, there are no known public exploits or active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. However, due to the critical nature of RCE vulnerabilities in industrial control systems, the development of an exploit by threat actors is plausible.

Analyst Recommendation

Given the high severity (CVSS 8.8) and the potential for complete system compromise of a critical industrial control system, immediate action is required. Although this vulnerability requires authentication, organizations must not be complacent, as credentials can be compromised through various methods. We strongly recommend prioritizing the application of vendor-supplied patches to all affected OpenPLC systems, starting with those exposed to the internet. If patching is delayed, implement the recommended compensating controls, such as network segmentation and access restriction, to reduce the attack surface and mitigate the immediate risk.

Executive Summary:
A critical vulnerability exists in multiple versions of TestLink that allows an unauthenticated attacker to download any file from the server. This flaw can be easily exploited by manipulating a URL, bypassing all security checks, and could lead to a significant data breach of sensitive project information, intellectual property, and other confidential data stored within the application.

Vulnerability Details

CVE-ID: CVE-2021-47760

Affected Software: TestLink

Affected Versions: 1.16 through 1.19

Vulnerability: The vulnerability is an improper access control flaw in the attachmentdownload.php file. An unauthenticated attacker can craft a specific URL to request any file attachment stored in TestLink by its numerical ID. By including the parameter skipCheck=1 in the request, the application's standard security and session checks are bypassed, granting the attacker direct access to download the specified file. The attacker can systematically iterate through file IDs to discover and exfiltrate all attachments hosted on the platform.

Business Impact

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a catastrophic data breach, exposing sensitive project plans, test results, source code snippets, intellectual property, and potentially personally identifiable information (PII) that has been uploaded as an attachment. The business impact includes severe reputational damage, loss of competitive advantage, potential legal and regulatory fines for data exposure, and the cost associated with incident response and recovery. Since the attack requires no authentication, any internet-facing TestLink instance is at high risk.

Remediation Plan

Immediate Action: Immediately upgrade all instances of TestLink to the latest patched version that resolves this vulnerability, as per the vendor's advisory. After patching, it is crucial to review web server and application access logs for any evidence of past exploitation attempts targeting the attachmentdownload.php endpoint.

Proactive Monitoring: Security teams should implement monitoring rules to detect and alert on suspicious requests to the attachmentdownload.php endpoint. Specifically, look for requests containing the skipCheck=1 parameter. Monitor for a high volume of requests to this endpoint from a single IP address, especially with sequentially incrementing id parameter values, as this is a strong indicator of an attacker attempting to enumerate and download all available files.

Compensating Controls: If patching cannot be performed immediately, implement a Web Application Firewall (WAF) rule to block any incoming requests to attachmentdownload.php that contain the string skipCheck=1. Additionally, restrict network access to the TestLink application to only trusted IP ranges or require users to connect via a secure VPN to limit the attack surface.

Exploitation Status

Public Exploit Available: true

Analyst Notes: As of Jan 15, 2026, proof-of-concept exploit code is publicly available and the method of exploitation is trivial. Due to the simplicity of the attack (crafting a URL), it should be assumed that any unpatched, internet-accessible instance is being actively scanned for and targeted by threat actors. Although this CVE is not currently listed on the CISA KEV catalog, its high severity and the ease of exploitation make it an attractive target for opportunistic and targeted attacks aimed at data exfiltration.

Analyst Recommendation

Given the critical CVSS score of 9.8 and the public availability of a simple exploit, this vulnerability poses an immediate and severe threat to the organization. We strongly recommend that all affected TestLink instances be patched immediately without delay. If patching is not possible, the compensating controls listed above, particularly implementing a WAF rule, should be deployed as an emergency measure. A full review of access logs is essential to determine if a data breach has already occurred.

Executive Summary:
A critical, unauthenticated vulnerability exists in phpKF CMS, allowing remote attackers to bypass security checks and upload malicious files. Successful exploitation enables an attacker to execute arbitrary code, leading to a complete compromise of the affected web server, potential data theft, and service disruption.

Vulnerability Details

CVE-ID: CVE-2021-47753

Affected Software: phpKF CMS Multiple Products

Affected Versions: phpKF CMS 3.00 Beta y6. See vendor advisory for a complete list of affected versions.

Vulnerability: The vulnerability is an unauthenticated file upload bypass within the phpKF CMS software. The application fails to properly validate the true file type during the upload process, relying on insufficient checks like file extension. An unauthenticated remote attacker can craft a malicious PHP script, disguise it with a permitted extension like .png, and upload it to the server. Subsequently, the attacker can rename the file to a .php extension and access it directly via a web browser, executing the embedded code and gaining full control over the server.

Business Impact

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation requires no authentication or user interaction, making it a significant threat to any internet-facing system running the affected software. A successful attack can lead to a complete system compromise, resulting in the theft of sensitive data (e.g., customer information, intellectual property), website defacement, service outages, and reputational damage. The compromised server could also be used as a staging point to launch further attacks against the internal network, escalating the overall security risk to the organization.

Remediation Plan

Immediate Action: Update phpKF CMS Multiple Products to the latest version as recommended by the vendor. After patching, it is crucial to monitor for any signs of post-exploitation activity and thoroughly review web server access logs for indicators of compromise that may have occurred prior to the update.

Proactive Monitoring:

• Log Analysis: Scrutinize web server logs for suspicious POST requests to file upload endpoints, especially those with unusual user agents or originating from unexpected IP addresses. Look for file rename events followed by GET or POST requests to newly created .php files in upload directories.
• File Integrity Monitoring (FIM): Implement FIM on web directories to detect the creation of unauthorized files, particularly executable scripts (e.g., .php, .phtml).
• Network Traffic: Monitor for anomalous outbound connections from the web server, which could indicate a reverse shell or data exfiltration channel established by an attacker.

Compensating Controls:
If immediate patching is not feasible, implement the following controls to mitigate risk:

• Web Application Firewall (WAF): Deploy a WAF with rules specifically designed to inspect file uploads, validate file types based on content (magic bytes) rather than extensions, and block malicious payloads.
• Disable Script Execution: Configure the web server to explicitly deny the execution of scripts (like PHP) within the file upload directory.
• Restrict Access: If the file upload functionality is not essential, disable it entirely until the system can be patched.

Exploitation Status

Public Exploit Available: true

Analyst Notes: As of Jan 15, 2026, multiple public proof-of-concept exploits are available for this vulnerability. Due to its critical severity and the lack of authentication required for exploitation, CVE-2021-47753 is an attractive target for threat actors. Although it is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its public availability means automated and targeted attacks are highly likely.

Analyst Recommendation

Given the critical CVSS score of 9.8 and the availability of public exploits, this vulnerability poses an immediate and severe risk to the organization. The highest priority is to apply the vendor-supplied patches to all affected phpKF CMS instances without delay. For any unpatched, internet-facing systems, we recommend assuming they are compromised and initiating incident response procedures to hunt for evidence of malicious activity. The lack of a CISA KEV listing should not diminish the urgency; the unauthenticated nature of this remote code execution flaw warrants immediate attention and remediation.

Executive Summary:
A critical remote code execution vulnerability has been identified in Hasura GraphQL version 1.3.3. This flaw allows an unauthenticated attacker to take complete control of the server by sending a specially crafted GraphQL query, which can lead to total system compromise, data theft, and service disruption. Organizations using the affected software are exposed to significant risk and should take immediate action to mitigate this threat.

Vulnerability Details

CVE-ID: CVE-2021-47748

Affected Software: Hasura GraphQL Multiple Products

Affected Versions: Version 1.3.3 is confirmed to be vulnerable. See vendor advisory for a complete list of affected versions.

Vulnerability: The vulnerability exists within the run_sql API endpoint, which fails to properly sanitize user-supplied input within GraphQL queries. An attacker can inject malicious SQL statements that leverage PostgreSQL's COPY FROM PROGRAM functionality. By crafting a query that includes this command, the attacker can force the database server to execute arbitrary shell commands with the privileges of the PostgreSQL service account, resulting in remote code execution (RCE) on the underlying server.

Business Impact

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation allows an attacker to gain full administrative control over the database server and potentially the entire host operating system. The consequences include, but are not limited to, the theft of sensitive data, modification or deletion of critical business information, complete service outages, and the ability for an attacker to use the compromised server as a pivot point to launch further attacks against the internal network. The potential for reputational damage and financial loss is extremely high.

Remediation Plan

Immediate Action:

• Immediately apply security updates by upgrading Hasura GraphQL to the latest version as recommended by the vendor.
• Review server and application access logs for any signs of compromise or exploitation attempts targeting the run_sql endpoint.

Proactive Monitoring:

• Log Analysis: Configure security information and event management (SIEM) systems to alert on GraphQL queries targeting the run_sql endpoint that contain suspicious keywords such as COPY, PROGRAM, or common shell command syntax.
• Network Monitoring: Monitor for unusual outbound connections from the database server, which could indicate a reverse shell or data exfiltration channel established by an attacker.
• Endpoint Detection: Monitor for unexpected processes being spawned by the PostgreSQL user account on the database server.

Compensating Controls:
If immediate patching is not feasible, implement the following controls to reduce risk:

• Web Application Firewall (WAF): Deploy a WAF with rules specifically designed to inspect GraphQL traffic and block queries containing malicious SQL injection patterns, particularly those attempting to use COPY FROM PROGRAM.
• Database Permissions: Enforce the principle of least privilege by ensuring the database user account used by Hasura does not have permissions to execute dangerous functions like COPY FROM PROGRAM.
• Network Segmentation: Restrict all outbound network access from the database server except for what is explicitly required for business operations.

Exploitation Status

Public Exploit Available: Information not available in the provided CVE data.

Analyst Notes: As of January 21, 2026, this vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. However, the attack vector is well-understood, and the impact is severe. It is highly probable that threat actors will develop and utilize exploits for this vulnerability, making unpatched systems prime targets.

Analyst Recommendation

Given the critical CVSS score of 9.8 and the risk of complete system compromise, this vulnerability requires immediate attention. We strongly recommend that all affected instances of Hasura GraphQL be patched to the latest version without delay. While this vulnerability is not yet on the CISA KEV list, its severity and potential for straightforward exploitation mean it should be treated with the highest priority. In parallel with patching, organizations must implement the proactive monitoring and compensating controls outlined above to detect potential exploitation and limit the blast radius of an attack.

Executive Summary:
A high-severity vulnerability has been identified in multiple meterN products, allowing a remote, unauthenticated attacker to potentially execute arbitrary code and gain complete control over affected systems. Successful exploitation could lead to a full system compromise, resulting in data theft, service disruption, and further network intrusion. Organizations are urged to apply vendor-supplied security updates immediately to mitigate this critical risk.

Vulnerability Details

CVE-ID: CVE-2021-47747

Affected Software: meterN Multiple Products

Affected Versions: See vendor advisory for specific affected versions

Vulnerability: This vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on a target system. The flaw likely exists within a network-facing service where input from a user is not properly validated. An attacker can exploit this by sending a specially crafted network packet or request to the vulnerable service, which could trigger a condition like a buffer overflow or command injection, leading to code execution with the privileges of the running application.

Business Impact

This vulnerability is rated as High severity with a CVSS score of 8.8. A successful exploit could result in the complete compromise of the affected meterN device or system. The business impact includes the potential for significant data breaches, theft of sensitive corporate or customer information, and operational disruption if the compromised systems are taken offline. Furthermore, an attacker could use the compromised system as a pivot point to launch further attacks against the internal network, escalating the scope and damage of the incident.

Remediation Plan

Immediate Action: Apply vendor security updates immediately across all affected systems to patch the vulnerability. Concurrently, monitor network traffic and system logs for any signs of exploitation attempts, such as unusual inbound requests or outbound connections from the affected devices. Review historical access logs for any evidence of compromise prior to patching.

Proactive Monitoring: Implement enhanced monitoring for the affected assets. Security teams should look for anomalous network traffic patterns to or from meterN devices, unexpected process execution, or unauthorized configuration changes. Utilize Intrusion Detection/Prevention Systems (IDS/IPS) with signatures capable of detecting exploit attempts targeting this specific CVE.

Compensating Controls: If immediate patching is not feasible, restrict network access to the vulnerable services. Use firewalls or network access control lists (ACLs) to limit connectivity to only trusted IP addresses and necessary personnel. Place the affected devices in a segmented network zone to limit an attacker's ability to move laterally if a compromise occurs.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of January 2, 2026, there is no known public proof-of-concept exploit code, and there are no reports of this vulnerability being actively exploited in the wild. However, given the high severity and potential for remote code execution, it is highly likely that threat actors will reverse-engineer the patch to develop an exploit.

Analyst Recommendation
Due to the high CVSS score of 8.8, this vulnerability presents a critical risk to the organization and must be addressed with urgency. The primary and most effective remediation is to apply the vendor-provided patches to all affected meterN products without delay. While this vulnerability is not currently listed on the CISA KEV list, its severity makes it a prime candidate for future inclusion and a high-priority target for attackers. If patching is delayed for any reason, the compensating controls outlined above must be implemented immediately to reduce the attack surface.

Executive Summary:
A high-severity vulnerability exists in certain Cypress Solutions products, allowing an unauthenticated attacker to execute arbitrary commands and gain full control of the affected device over the network. Successful exploitation could lead to a complete system compromise, enabling data theft, network pivoting, or operational disruption of critical infrastructure.

Vulnerability Details

CVE-ID: CVE-2021-47745

Affected Software: Cypress Solutions CTM-200

Affected Versions: Version 2.05 and potentially prior versions. See vendor advisory for specific affected versions.

Vulnerability: This vulnerability is an OS Command Injection flaw in the web-based management interface of the Cypress CTM-200 device. An unauthenticated remote attacker can send a specially crafted HTTP request to the device's ping utility. By embedding malicious shell commands within the input field intended for an IP address or hostname, the attacker can trick the system into executing these commands with the privileges of the web server, leading to remote code execution.

Business Impact

This vulnerability is rated as High severity with a CVSS score of 8.8, reflecting the potential for complete system compromise without user interaction. Exploitation could allow an attacker to exfiltrate sensitive configuration data, use the compromised device as a launchpad to attack other systems on the internal network, or disrupt the device's intended function, impacting operational continuity. For organizations relying on these devices for telemetry or remote connectivity, this poses a significant risk to both data security and operational stability.

Remediation Plan

Immediate Action: Apply vendor security updates immediately to all affected Cypress CTM-200 devices. After patching, monitor for any signs of post-patch exploitation attempts and review historical web access logs for indicators of compromise predating the patch.

Proactive Monitoring: Monitor web server access logs on the CTM-200 devices for unusual requests to the ping functionality, specifically looking for requests containing shell metacharacters (e.g., ;, |, &&, $(), `). Monitor network traffic for unexpected outbound connections originating from these devices, which could indicate a successful compromise.

Compensating Controls: If patching cannot be performed immediately, restrict network access to the device's web management interface to a trusted administrative network or specific IP addresses. If the interface must be exposed, place it behind a Web Application Firewall (WAF) configured with rules to detect and block command injection attacks.

Exploitation Status

Public Exploit Available: true

Analyst Notes: As of January 2, 2026, multiple public proof-of-concept (PoC) exploits are available for this vulnerability. The existence of public exploits significantly increases the risk, as it lowers the technical barrier for attackers to target vulnerable devices. While this CVE is not currently on the CISA KEV list, its high severity and the availability of exploit code make it an attractive target for threat actors.

Analyst Recommendation
Given the critical severity (CVSS 8.8) and the widespread availability of public exploit code, it is strongly recommended that the organization prioritize the immediate patching of all vulnerable Cypress CTM-200 devices. Due to the high likelihood of active scanning and exploitation, any unpatched, internet-facing devices should be considered at extreme risk of compromise. If patching is delayed for any reason, the compensating controls listed above must be implemented without delay to reduce the immediate attack surface.

Executive Summary:
A high-severity vulnerability has been identified in the game Rocket League, which could allow a remote, unauthenticated attacker to execute arbitrary code on a player's machine. Successful exploitation could lead to a complete system compromise, enabling an attacker to steal sensitive data, install malware, or use the compromised system to launch further attacks against the network. Due to the vulnerability's severity and the availability of public exploit code, immediate remediation is critical.

Vulnerability Details

CVE-ID: CVE-2021-47742

Affected Software: Epic Multiple Products

Affected Versions: Epic Games Psyonix Rocket League versions up to and including 1.

Vulnerability:
This vulnerability is a heap-based buffer overflow within the Rocket League game client. An unauthenticated attacker on the same local network or with knowledge of the victim's IP address can send a specially crafted UDP packet to the game client. When the client processes this malicious packet, it can cause a buffer overflow, allowing the attacker to corrupt memory and execute arbitrary code on the victim's system with the same privileges as the user running the game.

Business Impact

This vulnerability is rated as High severity with a CVSS score of 8.8. If an employee is running an affected version of Rocket League on a corporate device, a successful exploit could have a severe business impact. An attacker could gain a foothold into the corporate network, leading to potential data breaches, theft of intellectual property, deployment of ransomware, or disruption of business operations. The compromised machine could be used as a pivot point to attack other internal systems, bypassing perimeter security controls and escalating the incident significantly.

Remediation Plan

Immediate Action:
Organizations must apply the security updates provided by the vendor to all affected systems immediately. After patching, system administrators should monitor for any signs of exploitation attempts by reviewing endpoint security logs, network traffic, and application access logs for any anomalous activity related to the Rocket League application.

Proactive Monitoring:
Implement enhanced monitoring focused on endpoints where the affected software is installed. Security teams should look for:

• Unusual network traffic patterns originating from or directed to the Rocket League executable, especially from unknown or untrusted IP addresses.
• Endpoint Detection and Response (EDR) alerts for suspicious process creation, memory manipulation, or unauthorized file modification originating from the game process.
• Application crash logs or memory dumps that may indicate memory corruption exploitation attempts.

Compensating Controls:
If immediate patching is not feasible, the following compensating controls should be implemented:

• Network Segmentation: Isolate workstations used for gaming from critical business networks to limit the potential lateral movement of an attacker.
• Host-Based Firewall: Configure host-based firewalls to restrict inbound connections to the game client, allowing traffic only from trusted sources where possible.
• Principle of Least Privilege: Ensure users do not run the game with administrative privileges, which would limit an attacker's capabilities post-exploitation.

Exploitation Status

Public Exploit Available: true

Analyst Notes:
As of January 2, 2026, proof-of-concept (PoC) exploit code is publicly available for this vulnerability. While CVE-2021-47742 is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, the existence of a public exploit significantly increases the likelihood of opportunistic attacks by a wide range of threat actors.

Analyst Recommendation
Given the high severity (CVSS 8.8), the risk of remote code execution, and the public availability of exploit code, this vulnerability poses a critical risk to the organization. We strongly recommend that the vendor-supplied patches be applied on an emergency basis to all systems running the affected software. Furthermore, organizations should review and enforce policies regarding the installation and use of non-business software, such as games, on corporate assets to mitigate future risks.

Executive Summary:
A high-severity privilege escalation vulnerability has been identified in multiple ZBL EPON ONU Broadband Router products. This flaw allows an attacker who already has limited administrative access to the device to gain full administrative control. Successful exploitation could lead to a complete compromise of the network router, enabling unauthorized configuration changes, traffic interception, and further attacks on the internal network.

Vulnerability Details

CVE-ID: CVE-2021-47741

Affected Software: ZBL Multiple Products

Affected Versions: The specific version V100R001 is confirmed to be affected. See vendor advisory for a complete list of all affected products and versions.

Vulnerability: This is a privilege escalation vulnerability within the web-based management interface of the ZBL routers. The flaw exists because certain configuration endpoints fail to properly verify the privilege level of an authenticated administrative user. An attacker with credentials for a low-privilege admin account can bypass these insufficient access controls by crafting and sending direct HTTP requests to these sensitive endpoints, allowing them to perform actions reserved for high-privilege administrators, such as changing system settings, creating new admin accounts, or modifying firewall rules.

Business Impact

This is a High severity vulnerability with a CVSS score of 7.5. A successful exploit would allow an attacker to gain complete control over a critical network infrastructure device. The potential consequences include unauthorized modification of network configurations, leading to service disruption or denial of service (DoS). An attacker could also intercept or redirect network traffic (Man-in-the-Middle attack) to steal sensitive information, or use the compromised router as a pivot point to launch further attacks against other assets on the internal network.

Remediation Plan

Immediate Action: The primary remediation is to update the firmware of all affected ZBL devices to a patched version immediately. In parallel, organizations must conduct a thorough review of all user permissions and access controls on these devices, ensuring that only trusted personnel have administrative access and that the principle of least privilege is strictly enforced.

Proactive Monitoring: Monitor device audit logs for any configuration changes originating from user accounts with known limited privileges. Network administrators should watch for unusual traffic patterns to or from the device's management interface and implement alerts for the creation of new administrative accounts or unexpected system reboots.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Restrict access to the device's management interface to a dedicated, secure management network or a limited set of trusted IP addresses.
• Temporarily disable any non-essential, low-privilege administrative accounts until the patch can be deployed.
• Utilize network segmentation to limit the potential "blast radius" should the device be compromised.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of January 2, 2026, there is no known public proof-of-concept exploit code or evidence of this vulnerability being actively exploited in the wild. However, vulnerabilities of this type in network edge devices are attractive targets for threat actors, and it is highly probable that an exploit will be developed.

Analyst Recommendation
Given the high severity (CVSS 7.5) and the critical role these routers play in a network, we strongly recommend that organizations prioritize the immediate patching of all affected ZBL devices. Although this vulnerability is not currently listed on the CISA KEV catalog, its impact is significant. If patching cannot be performed immediately, the compensating controls listed above, particularly restricting administrative access, must be implemented without delay to reduce the attack surface and prevent a low-level compromise from escalating into a full network breach.

Executive Summary:
A high-severity vulnerability exists in certain NuCom wireless routers, allowing an unauthenticated attacker on the network to take complete control of the device. Successful exploitation could lead to a full network compromise, data theft, or the router being used for further malicious activities.

Vulnerability Details

CVE-ID: CVE-2021-47726

Affected Software: NuCom Multiple Products

Affected Versions: See vendor advisory for specific affected versions

Vulnerability: This vulnerability is an unauthenticated command injection flaw in the web management interface of the affected routers. An attacker can send a specially crafted HTTP request to the 'sys_log' page, injecting arbitrary operating system commands via the 'ping_addr' parameter. Because the input is not properly sanitized, these commands are executed on the device with root-level privileges, giving the attacker full control without requiring any prior authentication.

Business Impact

This vulnerability is rated as High severity with a CVSS score of 7.5. A successful exploit grants an attacker complete administrative control over the affected network device. This could lead to severe business consequences, including the interception of sensitive network traffic, theft of credentials and confidential data, disruption of network services, and using the compromised router as a pivot point to attack other internal systems. The device could also be co-opted into a botnet for use in larger-scale attacks like Distributed Denial-of-Service (DDoS), posing a reputational risk to the organization.

Remediation Plan

Immediate Action: Apply vendor security updates immediately. Organizations must prioritize the deployment of the firmware patches provided by NuCom to all affected devices to eliminate the vulnerability. After patching, review system and access logs for any signs of compromise that may have occurred before the update was applied.

Proactive Monitoring: Monitor web server logs on the routers for suspicious requests to the 'sys_log' page, specifically examining the 'ping_addr' parameter for shell metacharacters (e.g., ;, |, &&, $()). Monitor for anomalous outbound network traffic from the routers, such as connections to unknown command-and-control (C2) servers or participation in scanning activity.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Restrict access to the device's web management interface to a dedicated, trusted administrative network segment.
• Ensure the management interface is not exposed to the internet.
• Deploy a Web Application Firewall (WAF) or Intrusion Prevention System (IPS) with rules to detect and block command injection attempts targeting the 'ping_addr' parameter.

Exploitation Status

Public Exploit Available: true

Analyst Notes: As of January 2, 2026, proof-of-concept exploit code for this vulnerability is widely and publicly available. This significantly lowers the technical skill required for an attacker to exploit this flaw. While this CVE is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, its unauthenticated nature and the availability of public exploits make it an attractive target for opportunistic and automated attacks.

Analyst Recommendation
Given the high severity of this vulnerability and the public availability of exploit code, we recommend immediate and urgent action. All internet-facing NuCom devices should be patched or taken offline immediately. For internal devices, patching should be prioritized as a critical action. If patching cannot be performed immediately, the compensating controls listed above, particularly restricting access to the management interface, must be implemented without delay to reduce the attack surface.

Executive Summary:
A high-severity vulnerability exists within the AMD Trusted Execution Environment (TEE), a core security component. An attacker who has already gained basic access to a system can exploit this flaw by sending a specially crafted command, causing memory corruption that could lead to a system crash or unauthorized data modification, thereby impacting system availability and integrity.

Vulnerability Details

CVE-ID: CVE-2021-26383

Affected Software: AMD Multiple Products

Affected Versions: See vendor advisory for specific affected versions

Vulnerability: The vulnerability is an insufficient bounds checking issue within the AMD Trusted Execution Environment (TEE). An attacker with the ability to execute code in userspace can send a command with malformed arguments to the TEE driver. Because the driver fails to properly validate the size of these arguments, it can be forced to write data outside of its intended memory buffer, resulting in an out-of-bounds write. This memory corruption can be leveraged by an attacker to cause a denial of service (system crash) or potentially corrupt sensitive data managed by the TEE, leading to a loss of integrity.

Business Impact

This is a High severity vulnerability with a CVSS score of 7.9. Successful exploitation poses a significant risk to the stability and trustworthiness of affected systems. The primary business impacts include disruption of services due to system crashes (loss of availability) and potential corruption of critical data (loss of integrity). While an attacker needs prior access to the system, this vulnerability provides a pathway for them to escalate their impact, undermine security controls that rely on the TEE, and destabilize critical infrastructure. This could lead to operational downtime, data integrity issues, and a loss of confidence in the security posture of affected assets.

Remediation Plan

Immediate Action: Apply vendor security updates immediately. Organizations should identify all systems with affected AMD processors and deploy the relevant firmware or driver updates provided by AMD and system manufacturers. After patching, confirm that the updates have been successfully applied and reboot systems as required.

Proactive Monitoring: Monitor for unexpected system crashes or reboots, particularly on servers and critical workstations. Review system logs (e.g., Windows Event Logs, Linux syslog) for errors or warnings related to the AMD TEE driver or platform security processor (PSP). Endpoint Detection and Response (EDR) solutions should be configured to alert on anomalous process behavior, especially processes interacting with low-level system drivers.

Compensating Controls: If patching cannot be performed immediately, focus on preventing the initial user-space compromise. Enforce the principle of least privilege for all user accounts and services, implement strict application whitelisting to prevent unauthorized code execution, and ensure that endpoint protection and EDR solutions are deployed and up-to-date to detect and block initial access attempts.

Exploitation Status

Public Exploit Available: True

Analyst Notes: The provided "Published Date" of September 7, 2025, appears to be a typographical error; this CVE was publicly disclosed in September 2021. As of the date of this report, proof-of-concept (PoC) exploit code is publicly available, which lowers the bar for attackers to develop functional exploits. While not known to be used in widespread campaigns, its primary risk is as a second-stage tool for an attacker who has already gained a foothold on a target system.

Analyst Recommendation

Due to the High severity rating (CVSS 7.9) and the public availability of exploit code, we strongly recommend that organizations prioritize the immediate patching of all affected AMD-based systems. This vulnerability represents a critical risk for system stability and integrity. Although it is not currently on the CISA KEV list, its potential to be used in targeted attacks to disrupt operations or escalate privileges cannot be ignored. The most effective mitigation is the prompt application of vendor-supplied security updates.

Executive Summary:
A high-severity vulnerability exists within Statamic Core software, identified as CVE-2020-9322. This flaw allows an unauthenticated, remote attacker to potentially access and manipulate sensitive user data through a specific application endpoint. Successful exploitation could lead to unauthorized access, account takeovers, and significant data breaches, posing a critical risk to the organization.

Vulnerability Details

CVE-ID: CVE-2020-9322

Affected Software: Statamic Core

Affected Versions: All versions of Statamic Core prior to version 2.0

Vulnerability: The vulnerability exists in the /users API endpoint of Statamic Core. Due to improper access control, a remote, unauthenticated attacker can send a specially crafted request to this endpoint to retrieve sensitive user information. The high CVSS score of 8.8 indicates that the exploit is low in complexity and requires no user interaction, allowing an attacker to potentially enumerate users, extract data, and possibly perform unauthorized actions on user accounts.

Business Impact

This vulnerability is rated as High severity with a CVSS score of 8.8. Exploitation could have a severe impact on business operations, confidentiality, and integrity. Potential consequences include the breach of Personally Identifiable Information (PII) of users, leading to reputational damage and loss of customer trust. Furthermore, the organization could face regulatory penalties under data protection laws like GDPR or CCPA. If compromised accounts have administrative privileges, the attacker could gain further control over the application and underlying systems.

Remediation Plan

Immediate Action: Apply vendor security updates immediately to upgrade Statamic Core to version 2.0 or a later, patched version. After patching, review web server and application access logs for any suspicious activity or exploitation attempts targeting the /users endpoint that may have occurred prior to remediation.

Proactive Monitoring: Implement continuous monitoring of application logs, specifically looking for unusual or high-volume requests to the /users endpoint from untrusted IP addresses. Configure alerts for unauthorized account modifications, password resets, or privilege escalations that could indicate a successful compromise.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to block or rate-limit access to the /users endpoint from external, untrusted sources. If possible, restrict network access to this endpoint, allowing connections only from trusted internal IP addresses until the patch can be applied.

Exploitation Status

Public Exploit Available: True

Analyst Notes: As of August 8, 2025, proof-of-concept (PoC) exploit code for CVE-2020-9322 is publicly available. The existence of a public exploit significantly increases the likelihood of opportunistic and targeted attacks, as it lowers the technical barrier for threat actors to compromise vulnerable systems.

Analyst Recommendation

Given the high severity (CVSS 8.8) and the confirmed availability of public exploit code, this vulnerability poses a critical and immediate risk. We strongly recommend that organizations prioritize the deployment of the vendor-supplied security patch across all affected systems without delay. Although this CVE is not currently listed on the CISA KEV list, its public nature and severe impact warrant urgent attention. If patching is delayed, the compensating controls outlined above must be implemented as a temporary, high-priority measure to reduce the attack surface.