Kevin Finisterre

64 exploits Active since Dec 2000
CVE-2025-35027 WRITEUP HIGH WRITEUP
Unitree G1, Go2, H1, B2 Firmware - OS Command Injection via BLE WiFi Configuration
Multiple robotic products by Unitree sharing a common firmware, including the Go2, G1, H1, and B2 devices, contain a command injection vulnerability. By setting a malicious string when configuring the on-board WiFi via a BLE module of an affected robot, then triggering a restart of the WiFi service, an attacker can ultimately trigger commands to be run as root via the wpa_supplicant_restart.sh shell script. All Unitree models use firmware derived from the same codebase (MIT Cheetah), and the two major forks are the G1 (humanoid) and Go2 (quadruped) branches.
CVSS 7.3
CVE-2025-60250 WRITEUP MEDIUM WRITEUP
Unitree Go2, G1, H1, B2 - Info Disclosure
Unitree Go2, G1, H1, and B2 devices through 2025-09-20 decrypt BLE packet data by using the df98b715d5c6ed2b25817b6f2554124a key and the 2841ae97419c2973296a0d4bdfe19a4f IV.
CVSS 4.7
CVE-2025-60251 WRITEUP MEDIUM WRITEUP
Unitree Go2-G1-H1-B2 - Info Disclosure
Unitree Go2, G1, H1, and B2 devices through 2025-09-20 accept any handshake secret with the unitree substring.
CVSS 5.0
CVE-2005-4417 EXPLOITDB WORKING POC
Widcomm Bluetooth for Windows <4.0.1.1500 - Info Disclosure
The default configuration of Widcomm Bluetooth for Windows (BTW) 4.0.1.1500 and earlier, as installed on Belkin Bluetooth Software 1.4.2 Build 10 and ANYCOM Blue USB-130-250 Software 4.0.1.1500, and possibly other devices, sets null Authentication and Authorization values, which allows remote attackers to send arbitrary audio and possibly eavesdrop using the microphone via the Hands Free Audio Gateway and Headset profile.
CVE-2005-2715 EXPLOITDB perl WORKING POC
VERITAS NetBackup 4.5FP/4.5MP/5.0-6.0 - Remote Code Execution via Java UI Format String
Format string vulnerability in the Java user interface service (bpjava-msvc) daemon for VERITAS NetBackup Data and Business Center 4.5FP and 4.5MP, and NetBackup Enterprise/Server/Client 5.0, 5.1, and 6.0, allows remote attackers to execute arbitrary code via the COMMAND_LOGON_TO_MSERVER command.
CVE-2008-0175 EXPLOITDB ruby WORKING POC
GE Fanuc Proficy Real-Time Information Portal < 2.6 - Remote Code Execution via Unrestricted File Upload
Unrestricted file upload vulnerability in GE Fanuc Proficy Real-Time Information Portal 2.6 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension to the main virtual directory.
CVE-2006-6488 EXPLOITDB ruby WORKING POC
ICONICS OPC Enabled Gauge - Buffer Overflow
Stack-based buffer overflow in the DoModal function in the Dialog Wrapper Module ActiveX control (DlgWrapper.dll) before 8.4.166.0, as used by ICONICS OPC Enabled Gauge, Switch, and Vessel ActiveX, allows remote attackers to execute arbitrary code via a long (1) FileName or (2) Filter argument.
CVE-2008-2639 EXPLOITDB ruby WORKING POC
Citect CitectSCADA 6-7 and CitectFacilities 7 - Remote Code Execution via ODBC Server Service
Stack-based buffer overflow in the ODBC server service in Citect CitectSCADA 6 and 7, and CitectFacilities 7, allows remote attackers to execute arbitrary code via a long string in the second application packet in a TCP session on port 20222.
CVE-2006-3838 EXPLOITDB perl WORKING POC
eIQnetworks Enterprise Security Analyzer < 2.4.0 - Remote Code Execution via Multiple Buffer Overflows
Multiple stack-based buffer overflows in eIQnetworks Enterprise Security Analyzer (ESA) before 2.5.0, as used in products including (a) Sidewinder, (b) iPolicy Security Manager, (c) Astaro Report Manager, (d) Fortinet FortiReporter, (e) Top Layer Network Security Analyzer, and possibly other products, allow remote attackers to execute arbitrary code via long (1) DELTAINTERVAL, (2) LOGFOLDER, (3) DELETELOGS, (4) FWASERVER, (5) SYSLOGPUBLICIP, (6) GETFWAIMPORTLOG, (7) GETFWADELTA, (8) DELETERDEPDEVICE, (9) COMPRESSRAWLOGFILE, (10) GETSYSLOGFIREWALLS, (11) ADDPOLICY, and (12) EDITPOLICY commands to the Syslog daemon (syslogserver.exe); (13) GUIADDDEVICE, (14) ADDDEVICE, and (15) DELETEDEVICE commands to the Topology server (Topology.exe); the (15) LICMGR_ADDLICENSE command to the License Manager (EnterpriseSecurityAnalyzer.exe); the (16) TRACE and (17) QUERYMONITOR commands to the Monitoring agent (Monitoring.exe); and possibly other vectors related to the Syslog daemon (syslogserver.exe).
EIP-2026-118601 EXPLOITDB ruby WORKING POC
GE Proficy Real Time Information Portal - Credentials Leak Sniffer (Metasploit)
EIP-2026-118509 EXPLOITDB perl WORKING POC
eIQnetworks ESA - Syslog Server Remote Buffer Overflow
CVE-2005-0978 EXPLOITDB text WORKING POC
IVT BlueSoleil 1.4 - Path Traversal
Directory traversal vulnerability in the Object Push service in IVT BlueSoleil 1.4 allows remote attackers to upload arbitrary files via a .. (dot dot) in a PUSH command.
CVE-2007-4441 EXPLOITDB php WORKING POC
PHP < 5.2.0 - Buffer Overflow in win32std Extension via win_browse_file Function
Buffer overflow in php_win32std.dll in the win32std extension for PHP 5.2.0 and earlier allows context-dependent attackers to execute arbitrary code via a long string in the filename argument to the win_browse_file function.
CVE-2008-3529 EXPLOITDB ruby WORKING POC
libxml2 < 2.7.0 - Heap-Based Buffer Overflow via Long XML Entity Name
Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a long XML entity name.
EIP-2026-114745 EXPLOITDB perl WORKING POC
Tru64 UNIX 5.0 (Rev. 910) - rdist NLSPATH Buffer Overflow
CVE-2002-0887 EXPLOITDB text WORKING POC
scoadmin - Caldera/SCO OpenServer <5.0.6 - Local Privilege Escalation
scoadmin for Caldera/SCO OpenServer 5.0.5 and 5.0.6 allows local users to overwrite arbitrary files via a symlink attack on temporary files, as demonstrated using log files.
EIP-2026-114744 EXPLOITDB perl WORKING POC
Tru64 UNIX 5.0 (Rev. 910) - edauth NLSPATH Buffer Overflow
CVE-2005-1394 EXPLOITDB c WORKING POC
ArcGIS for ESRI ArcInfo Workstation 9.0 - Privilege Escalation
Format string vulnerability in ArcGIS for ESRI ArcInfo Workstation 9.0 allows local users to gain privileges via format string specifiers in the ARCHOME environment variable to (1) wservice or (2) lockmgr.
CVE-2006-0396 EXPLOITDB perl WORKING POC
Mac OS X 10.4-10.4.5 - Remote Code Execution via Long Real Name in AppleDouble Email Attachment
Buffer overflow in Mail in Apple Mac OS X 10.4 up to 10.4.5, when patched with Security Update 2006-001, allows remote attackers to execute arbitrary code via a long Real Name value in an e-mail attachment sent in AppleDouble format, which triggers the overflow when the user double-clicks on an attachment.
CVE-2006-5851 EXPLOITDB perl WORKING POC
OpenBase SQL < 10.0.1 - Arbitrary File Creation via Symlink Attack on /tmp/output
openexec in OpenBase SQL before 10.0.1 allows local users to create arbitrary files via a symlink attack on the /tmp/output file, a different vulnerability than CVE-2006-5328.
CVE-2005-1333 EXPLOITDB text WRITEUP
macOS 10.3.9 - Directory Traversal via Bluetooth OBEX Services
Directory traversal vulnerability in the Bluetooth file and object exchange (OBEX) services in Mac OS X 10.3.9 allows remote attackers to read arbitrary files.
EIP-2026-104607 EXPLOITDB perl WORKING POC
Xcode OpenBase 9.1.5 (OSX) - Local Privilege Escalation
CVE-2006-5852 EXPLOITDB perl WORKING POC
OpenBase SQL <10.0.1 - Privilege Escalation
Untrusted search path vulnerability in openexec in OpenBase SQL before 10.0.1 allows local users to gain privileges via a modified PATH that references a malicious helper binary, as demonstrated by (1) cp, (2) rm, and (3) killall, different vectors than CVE-2006-5327.
EIP-2026-104608 EXPLOITDB perl WORKING POC
Xcode OpenBase 9.1.5 (OSX) - Root File Create Privilege Escalation
CVE-2005-2715 EXPLOITDB perl WORKING POC
VERITAS NetBackup 4.5FP/4.5MP/5.0-6.0 - Remote Code Execution via Java UI Format String
Format string vulnerability in the Java user interface service (bpjava-msvc) daemon for VERITAS NetBackup Data and Business Center 4.5FP and 4.5MP, and NetBackup Enterprise/Server/Client 5.0, 5.1, and 6.0, allows remote attackers to execute arbitrary code via the COMMAND_LOGON_TO_MSERVER command.