Edward Warren

72 exploits Active since Jun 2023
CVE-2025-68716 WRITEUP HIGH WRITEUP
KAYSUS KS-WR3600 Firmware 1.0.5.9.1 - Unauthenticated Root Shell Access via SSH
KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 enable the SSH service enabled by default on the LAN interface. The root account is configured with no password, and administrators cannot disable SSH or enforce authentication via the CLI or web GUI. This allows any LAN-adjacent attacker to trivially gain root shell access and execute arbitrary commands with full privileges.
CVSS 8.4
CVE-2025-68706 WRITEUP CRITICAL WRITEUP
KuwFi AC900 Firmware 1.0.13 - Stack-based Buffer Overflow via formMultiApnSetting Pincode Parameter
A stack-based buffer overflow exists in the GoAhead-Webs HTTP daemon on KuWFi 4G LTE AC900 devices with firmware 1.0.13. The /goform/formMultiApnSetting handler uses sprintf() to copy the user-supplied pincode parameter into a fixed 132-byte stack buffer with no bounds checks. This allows an attacker to corrupt adjacent stack memory, crash the web server, and (under certain conditions) may enable arbitrary code execution.
CVSS 9.8
CVE-2025-68715 WRITEUP CRITICAL WRITEUP
Panda Wireless PWRU0 <2.2.9 - Privilege Escalation
An issue was discovered in Panda Wireless PWRU0 devices with firmware 2.2.9 that exposes multiple HTTP endpoints (/goform/setWan, /goform/setLan, /goform/wirelessBasic) that do not enforce authentication. A remote unauthenticated attacker can modify WAN, LAN, and wireless settings directly, leading to privilege escalation and denial of service.
CVSS 9.1
CVE-2024-31977 WRITEUP HIGH WRITEUP
Adtran 834-5 <11.1.0.101 - Command Injection
Adtran 834-5 11.1.0.101-202106231430, and fixed as of SmartOS Version 12.6.3.1, devices allow OS Command Injection via shell metacharacters to the Ping or Traceroute utility.
CVSS 8.8
CVE-2025-43979 WRITEUP HIGH WRITEUP
FIRSTNUM JC21A-04 - Command Injection
An issue was discovered on FIRSTNUM JC21A-04 devices through 2.01ME/FN that allows authenticated attackers to execute arbitrary OS system commands with root privileges via crafted payloads to the xml_action.cgi?method= endpoint.
CVSS 7.4
CVE-2025-43978 WRITEUP HIGH WRITEUP
Jointelli 5G CPE 21H01 - Command Injection
Jointelli 5G CPE 21H01 firmware JY_21H01_A3_v1.36 devices allow (blind) OS command injection. Multiple endpoints are vulnerable, including /ubus/?flag=set_WPS_pin and /ubus/?flag=netAppStar1 and /ubus/?flag=set_wifi_cfgs. This allows an authenticated attacker to execute arbitrary OS commands with root privileges via crafted inputs to the SSID, WPS, Traceroute, and Ping fields.
CVSS 7.4
CVE-2025-43980 WRITEUP MEDIUM WRITEUP
FIRSTNUM JC21A-04 - Info Disclosure
An issue was discovered on FIRSTNUM JC21A-04 devices through 2.01ME/FN. They enable the SSH service by default with the credentials of root/admin. The GUI doesn't offer a way to disable the account.
CVSS 6.5
CVE-2025-43982 WRITEUP CRITICAL WRITEUP
Shenzhen Tuoshi NR500-EA RG500UEAABxCOMSLICv3.4.2731.16.43 - Hard-coded Root Account
Shenzhen Tuoshi NR500-EA RG500UEAABxCOMSLICv3.4.2731.16.43 devices enable the SSH service by default. There is a hidden hard-coded root account that cannot be disabled in the GUI.
CVSS 9.8
CVE-2025-43983 WRITEUP CRITICAL WRITEUP
KuWFi CPF908-CP5 WEB5.0_LCD_20210125 - Info Disclosure
KuWFi CPF908-CP5 WEB5.0_LCD_20210125 devices have multiple unauthenticated access control vulnerabilities within goform/goform_set_cmd_process and goform/goform_get_cmd_process. These allow an unauthenticated attacker to retrieve sensitive information (including the device admin username and password), modify critical device settings, and send arbitrary SMS messages.
CVSS 9.1
CVE-2025-43984 WRITEUP CRITICAL WRITEUP
KuwFi GC111 CPE-LM321_V3.2 GC111-GL-LM321_V3.0_20191211 - Unauthenticated OS Command Injection via SSID Parameter
An issue was discovered on KuWFi GC111 devices (Hardware Version: CPE-LM321_V3.2, Software Version: GC111-GL-LM321_V3.0_20191211). They are vulnerable to unauthenticated /goform/goform_set_cmd_process requests. A crafted POST request, using the SSID parameter, allows remote attackers to execute arbitrary OS commands with root privileges.
CVSS 9.8
CVE-2025-43986 WRITEUP CRITICAL WRITEUP
KuwFi GC111 GC111-GL-LM321_V3.0_20191211 - Unauthenticated Exposure of Sensitive Information via TELNET Service
An issue was discovered on KuWFi GC111 GC111-GL-LM321_V3.0_20191211 devices. The TELNET service is enabled by default and exposed over the WAN interface without authentication.
CVSS 9.8
CVE-2025-43988 WRITEUP HIGH WRITEUP
KuWFi 5G01-X55 FL2020_V0.0.12 - Info Disclosure
KuWFi 5G01-X55 FL2020_V0.0.12 devices expose an unauthenticated API endpoint (ajax_get.cgi), allowing remote attackers to retrieve sensitive configuration data, including admin credentials.
CVSS 7.5
CVE-2025-68717 WRITEUP CRITICAL WRITEUP
KAYSUS KS-WR3600 1.0.5.9.1 - Auth Bypass
KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 allow authentication bypass during session validation. If any user is logged in, endpoints such as /cgi-bin/system-tool accept unauthenticated requests with empty or invalid session values. This design flaw lets attackers piggyback on another user's active session to retrieve sensitive configuration data or execute privileged actions without authentication.
CVSS 9.4
CVE-2023-34761 WRITEUP MEDIUM WRITEUP
7-Eleven Hello Cup 1.3.1 - Unauthenticated BLE Connection Bypass
An unauthenticated attacker within BLE proximity can remotely connect to a 7-Eleven LED Message Cup, Hello Cup 1.3.1 for Android, and bypass the application's client-side chat censor filter.
CVSS 6.5
CVE-2023-36351 WRITEUP HIGH WRITEUP
Viatom Health ViHealth <2.74.58 - RCE
An issue in Viatom Health ViHealth for Android v.2.74.58 and before allows a remote attacker to execute arbitrary code via the com.viatom.baselib.mvvm.webWebViewActivity component.
CVSS 7.8
CVE-2023-40038 WRITEUP HIGH WRITEUP
Arris DG860A and DG1670A - Unauthenticated Remote Access via Predictable WPA2 PSK
Arris DG860A and DG1670A devices have predictable default WPA2 PSKs that could lead to unauthorized remote access. (They use the first 6 characters of the SSID and the last 6 characters of the BSSID, decrementing the last digit.)
CVSS 8.8
CVE-2023-40039 WRITEUP CRITICAL WRITEUP
ARRIS TG852G TG862G TG1672G - Unauthenticated WPA2-PSK Derivation via Beacon Frame
An issue was discovered on ARRIS TG852G, TG862G, and TG1672G devices. A remote attacker (in proximity to a Wi-Fi network) can derive the default WPA2-PSK value by observing a beacon frame.
CVSS 9.8
CVE-2023-47352 WRITEUP HIGH WRITEUP
Technicolor TC8715D - Info Disclosure
Technicolor TC8715D devices have predictable default WPA2 security passwords. An attacker who scans for SSID and BSSID values may be able to predict these passwords.
CVSS 8.8
CVE-2024-23726 WRITEUP HIGH WRITEUP
Ubee DDW365 XCNDDW365 - Use of Hard-coded Credentials via Predictable WPA2 PSK
Ubee DDW365 XCNDDW365 devices have predictable default WPA2 PSKs that could lead to unauthorized remote access. A remote attacker (in proximity to a Wi-Fi network) can derive the default WPA2-PSK value by observing a beacon frame. A PSK is generated by using the first six characters of the SSID and the last six of the BSSID, decrementing the last digit.
CVSS 8.8
CVE-2024-28090 WRITEUP MEDIUM WRITEUP
Technicolor TC8715D 01.EF.04.38.00 Stored XSS via User Name in dyn_dns.asp
Technicolor TC8715D TC8715D-01.EF.04.38.00-180405-S-FF9-D RSE-TC8717T devices allow a remote attacker within Wi-Fi proximity to conduct stored XSS attacks via User name in dyn_dns.asp.
CVSS 5.4
CVE-2024-28091 WRITEUP MEDIUM WRITEUP
Technicolor TC8715D TC8715D-01.EF.04.38.00 Stored XSS via User Defined Service in managed_services_add.asp
Technicolor TC8715D TC8715D-01.EF.04.38.00-180405-S-FF9-D RSE-TC8717T devices allow a remote attacker within Wi-Fi proximity to conduct stored XSS attacks via User Defined Service in managed_services_add.asp (the victim must click an X for a deletion).
CVSS 6.1
CVE-2024-28092 WRITEUP HIGH WRITEUP
UBEE DDW365 XCNDDW365 <8.14.3105 - Stored XSS
UBEE DDW365 XCNDDW365 8.14.3105 software on hardware 3.13.1 allows a remote attacker within Wi-Fi proximity to conduct stored XSS attacks via RgFirewallEL.asp, RgDdns.asp, RgTime.asp, RgDiagnostics.asp, or RgParentalBasic.asp. The affected fields are SMTP Server Name, SMTP Username, Host Name, Time Server 1, Time Server 2, Time Server 3, Target, Add Keyword, Add Domain, and Add Allowed Domain.
CVSS 7.2
CVE-2024-31972 WRITEUP MEDIUM WRITEUP
EnGenius ESR580 A8J-EMR5000 - Stored Cross-Site Scripting via Wi-Fi SSID Input Fields
EnGenius ESR580 A8J-EMR5000 devices allow a remote attacker to conduct stored XSS attacks that could lead to arbitrary JavaScript code execution (under the context of the user's session) via the Wi-Fi SSID input fields. Web scripts embedded into the vulnerable fields this way are executed immediately when a user logs into the admin page. This affects /admin/wifi/wlan1 and /admin/wifi/wlan_guest.
CVSS 4.3
CVE-2024-31973 WRITEUP MEDIUM WRITEUP
Hitron CODA-4582 2AHKM-CODA4589 7.2.4.5.1b8 - Stored Cross-Site Scripting via Network Name (SSID) Input
Hitron CODA-4582 2AHKM-CODA4589 7.2.4.5.1b8 devices allow a remote attacker within Wi-Fi proximity to conduct stored XSS attacks via the 'Network Name (SSID)' input fields to the /index.html#wireless_basic page.
CVSS 5.2
CVE-2024-31975 WRITEUP MEDIUM WRITEUP
EnGenius EWS356-Fit Firmware <= 1.1.30 - Stored Cross-Site Scripting via Wi-Fi SSID Parameter
EnGenius EWS356-Fit devices through 1.1.30 allow a remote attacker to conduct stored XSS attacks via the Wi-Fi SSID parameters. JavaScript embedded into a vulnerable field is executed when the user clicks the SSID field's corresponding EDIT button.
CVSS 4.8