CVE & Exploit Intelligence Database

CVE-2025-3232 7.5 HIGH 1 Writeup EPSS 0.00

A remote unauthenticated attacker may be able to bypass authentication by utilizing a specific API route to execute arbitrary OS commands.

CWE-306 Dec 24, 2025

CVE-2019-25248 7.5 HIGH 1 PoC Analysis EPSS 0.00

Beward N100 M2.1.6.04C014 contains an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can directly retrieve the camera's RTSP stream by exploiting the lack of authentication in the video access mechanism.

CWE-306 Dec 24, 2025

CVE-2019-25240 9.8 CRITICAL 1 PoC Analysis EPSS 0.00

Rifatron 5brid DVR contains an unauthenticated vulnerability in the animate.cgi script that allows unauthorized access to live video streams. Attackers can exploit the Mobile Web Viewer module by specifying channel numbers to retrieve sequential video snapshots without authentication.

CWE-306 Dec 24, 2025

CVE-2019-25236 9.8 CRITICAL 1 PoC Analysis EPSS 0.00

iSeeQ Hybrid DVR WH-H4 1.03R contains an unauthenticated vulnerability in the get_jpeg script that allows unauthorized access to live video streams. Attackers can retrieve video snapshots from specific camera channels by sending requests to the /cgi-bin/get_jpeg endpoint without authentication.

CWE-306 Dec 24, 2025

CVE-2018-25141 7.5 HIGH 1 PoC Analysis EPSS 0.00

FLIR thermal traffic cameras contain an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can directly retrieve video streams by accessing specific endpoints like /live.mjpeg, /snapshot.jpg, and RTSP streaming URLs without authentication.

CWE-306 Dec 24, 2025

CVE-2018-25140 7.5 HIGH 1 PoC Analysis EPSS 0.00

FLIR thermal traffic cameras contain an unauthenticated device manipulation vulnerability in their WebSocket implementation that allows attackers to bypass authentication and authorization controls. Attackers can directly modify device configurations, access system information, and potentially initiate denial of service by sending crafted WebSocket messages without authentication.

CWE-306 Dec 24, 2025

CVE-2018-25139 7.5 HIGH 1 PoC Analysis EPSS 0.00

FLIR AX8 Thermal Camera 1.32.16 contains an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can directly connect to the RTSP stream using tools like VLC or FFmpeg to view and record thermal camera footage.

CWE-306 Dec 24, 2025

CVE-2018-25137 7.5 HIGH 1 PoC Analysis EPSS 0.00

FLIR Brickstream 3D+ 2.1.742.1842 contains an unauthenticated vulnerability in the ExportConfig REST API that allows attackers to download sensitive configuration files. Attackers can exploit the getConfigExportFile.cgi endpoint to retrieve system configurations, potentially enabling authentication bypass and privilege escalation.

CWE-306 Dec 24, 2025

CVE-2018-25136 7.5 HIGH 1 PoC Analysis EPSS 0.00

FLIR Brickstream 3D+ 2.1.742.1842 contains an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can retrieve video stream images by directly accessing multiple image endpoints like middleImage.jpg, rightimage.jpg, and leftimage.jpg.

CWE-306 Dec 24, 2025

CVE-2018-25134 9.8 CRITICAL 1 PoC Analysis EPSS 0.00

Synaccess netBooter NP-02x/NP-08x 6.8 contains an authentication bypass vulnerability in the webNewAcct.cgi script that allows unauthenticated attackers to create admin user accounts. Attackers can exploit the missing control check by sending crafted POST requests to create administrative accounts and gain unauthorized control over power supply management.

CWE-306 Dec 24, 2025

CVE-2025-66445 7.1 HIGH EPSS 0.00

Authorization bypass vulnerability in Hitachi Infrastructure Analytics Advisor (Data Center Analytics component) and Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component).This issue affects Hitachi Infrastructure Analytics Advisor:; Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.5-00.

CWE-306 Dec 24, 2025

CVE-2025-65856 9.8 CRITICAL 2 PoCs Analysis EPSS 0.01

Authentication bypass vulnerability in Xiongmai XM530 IP cameras on Firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 allows unauthenticated remote attackers to access sensitive device information and live video streams. The ONVIF implementation fails to enforce authentication on 31 critical endpoints, enabling direct unauthorized video stream access.

CWE-306 Dec 22, 2025

CVE-2023-53974 7.5 HIGH 1 PoC Analysis EPSS 0.00

D-Link DSL-124 ME_1.00 contains a configuration file disclosure vulnerability that allows unauthenticated attackers to retrieve router settings through a POST request. Attackers can send a specific POST request to the router's configuration endpoint to download a complete backup file containing sensitive network credentials and system configurations.

CWE-306 Dec 22, 2025

CVE-2023-53970 7.5 HIGH 1 PoC Analysis EPSS 0.00

Screen SFT DAB 600/C Firmware 1.9.3 contains a weak session management vulnerability that allows attackers to bypass authentication controls by reusing IP-bound session identifiers. Attackers can exploit the vulnerable deviceManagement API endpoint to reset device configurations by sending crafted POST requests with manipulated session parameters.

CWE-306 Dec 22, 2025

CVE-2023-53969 7.5 HIGH 1 PoC Analysis EPSS 0.00

Screen SFT DAB 600/C firmware 1.9.3 contains a session management vulnerability that allows attackers to bypass authentication controls by exploiting IP address session binding. Attackers can reuse the same IP address and issue unauthorized requests to the userManager API to change user passwords without proper authentication.

CWE-306 Dec 22, 2025

CVE-2023-53968 9.8 CRITICAL 1 PoC Analysis EPSS 0.00

Screen SFT DAB 600/C Firmware 1.9.3 contains a session management vulnerability that allows attackers to bypass authentication controls by exploiting IP address session binding. Attackers can reuse the same IP address and issue unauthorized requests to the userManager API to remove user accounts without proper authentication.

CWE-306 Dec 22, 2025

CVE-2023-53967 7.5 HIGH 1 PoC Analysis EPSS 0.00

Screen SFT DAB 600/C firmware 1.9.3 contains an authentication bypass vulnerability that allows attackers to change the admin password without requiring the current credentials. Attackers can exploit the userManager.cgx API endpoint by sending a crafted POST request with a new MD5-hashed password to directly modify the admin account's authentication.

CWE-306 Dec 22, 2025

CVE-2023-53964 9.8 CRITICAL 1 PoC Analysis EPSS 0.01

SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an unauthenticated vulnerability in the /usr/cgi-bin/restorefactory.cgi endpoint that allows remote attackers to reset device configuration. Attackers can send a POST request to the endpoint with specific data to trigger a factory reset and bypass authentication, gaining full system control.

CWE-306 Dec 22, 2025

CVE-2025-12049 9.8 CRITICAL EPSS 0.00

Missing Authentication for Critical Function vulnerability in Sharp Display Solutions Media Player MP-01 All Verisons allows a attacker may access to the web interface of the affected product without authentication and change settings or perform other operations, and deliver content from the authoring software to the affected product without authentication.

CWE-306 Dec 22, 2025

CVE-2023-47232 4.3 MEDIUM EPSS 0.00

Vulnerability in mojofywp WP Affiliate Disclosure wp-affiliate-disclosure.This issue affects WP Affiliate Disclosure: from n/a through 1.2.6.

CWE-306 Dec 21, 2025