Mohamed Shahat

55 exploits Active since Feb 2025
CVE-2025-22960 WRITEUP HIGH WORKING POC
GatesAir Maxiva UAXT/VAXT - Info Disclosure
A session hijacking vulnerability exists in the web-based management interface of GatesAir Maxiva UAXT, VAXT transmitters. Unauthenticated attackers can access exposed log files (/logs/debug/xteLog*), potentially revealing sensitive session-related information such as session IDs (sess_id) and authentication success tokens (user_check_password OK). Exploiting this flaw could allow attackers to hijack active sessions, gain unauthorized access, and escalate privileges on affected devices.
CVSS 8.0
CVE-2025-22961 WRITEUP HIGH WORKING POC
GatesAir Maxiva UAXT/VAXT - Info Disclosure
A critical information disclosure vulnerability exists in the web-based management interface of GatesAir Maxiva UAXT, VAXT transmitters due to Incorrect Access Control (CWE-284). Unauthenticated attackers can directly access sensitive database backup files (snapshot_users.db) via publicly exposed URLs (/logs/devcfg/snapshot/ and /logs/devcfg/user/). Exploiting this vulnerability allows retrieval of sensitive user data, including login credentials, potentially leading to full system compromise.
CVSS 8.0
CVE-2025-22962 WRITEUP HIGH WORKING POC
GatesAir Maxiva UAXT and VAXT - Authenticated Remote Code Execution via /json Endpoint
A critical remote code execution (RCE) vulnerability exists in the web-based management interface of GatesAir Maxiva UAXT, VAXT transmitters when debugging mode is enabled. An attacker with a valid session ID (sess_id) can send specially crafted POST requests to the /json endpoint, enabling arbitrary command execution on the underlying system. This vulnerability can lead to full system compromise, including unauthorized access, privilege escalation, and potentially full device takeover.
CVSS 7.2
CVE-2025-28228 WRITEUP HIGH WORKING POC
Electrolink FM/DAB/TV Transmitter - Credentials Disclosure
A credential exposure vulnerability in Electrolink 500W, 1kW, 2kW Medium DAB Transmitter Web v01.09, v01.08, v01.07, and Display v1.4, v1.2 allows unauthorized attackers to access credentials in plaintext.
CVSS 7.5
CVE-2025-28229 WRITEUP CRITICAL WORKING POC
Orban OPTIMOD 5950 Firmware v1.0.0.2 and System v2.2.15 - Unauthenticated Privilege Escalation to Administrator
Incorrect access control in Orban OPTIMOD 5950 Firmware v1.0.0.2 and System v2.2.15 allows attackers to bypass authentication and gain Administrator privileges.
CVSS 9.8
CVE-2025-28230 WRITEUP CRITICAL WORKING POC
JMBroadcast JMB0150 Firmware v1.0 - Use of Hard-coded Credentials
Incorrect access control in JMBroadcast JMB0150 Firmware v1.0 allows attackers to access hardcoded administrator credentials.
CVSS 9.1
CVE-2025-28231 WRITEUP CRITICAL WORKING POC
Itel Electronics IP Stream <1.7.0.6 - Privilege Escalation
Incorrect access control in Itel Electronics IP Stream v1.7.0.6 allows unauthorized attackers to execute arbitrary commands with Administrator privileges.
CVSS 9.1
CVE-2025-28232 WRITEUP CRITICAL WORKING POC
JMBroadcast JMB0150 Firmware v1.0 - Unauthenticated Admin Panel Access via HOME.php Endpoint
Incorrect access control in the HOME.php endpoint of JMBroadcast JMB0150 Firmware v1.0 allows attackers to access the Admin panel without authentication.
CVSS 9.1
CVE-2025-28233 WRITEUP CRITICAL WORKING POC
BW Broadcast TX600-1000 - Info Disclosure
Incorrect access control in BW Broadcast TX600 (14980), TX300 (32990) (31448), TX150, TX1000, TX30, and TX50 Hardware Version: 2, Software Version: 1.6.0, Control Version: 1.0, AIO Firmware Version: 1.7 allows attackers to access log files and extract session identifiers to execute a session hijacking attack.
CVSS 9.1
CVE-2025-28235 WRITEUP HIGH WORKING POC
Soundcraft Ui Series - Info Disclosure
An information disclosure vulnerability in the component /socket.io/1/websocket/ of Soundcraft Ui Series Model(s) Ui12 and Ui16 Firmware v1.0.7x and v1.0.5x allows attackers to access Administrator credentials in plaintext.
CVSS 7.5
CVE-2025-28236 WRITEUP CRITICAL WORKING POC
Nautel VX Series transmitters <6.4.0 - RCE
Nautel VX Series transmitters VX SW v6.4.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the firmware update process. This vulnerability allows attackers to execute arbitrary code via supplying a crafted update package to the /#/software/upgrades endpoint.
CVSS 9.8
CVE-2025-28237 WRITEUP HIGH WORKING POC
WorldCast Systems ECRESO FM/DAB/TV Transmitter <1.10.1 - Privilege ...
An issue in WorldCast Systems ECRESO FM/DAB/TV Transmitter v1.10.1 allows authenticated attackers to escalate privileges via a crafted JSON payload.
CVSS 8.8
CVE-2025-28238 WRITEUP CRITICAL WORKING POC
Elber REBLE310 Firmware <5.5.1.R - Session Hijacking
Improper session management in Elber REBLE310 Firmware v5.5.1.R , Equipment Model: REBLE310/RX10/4ASI allows attackers to execute a session hijacking attack.
CVSS 9.8
CVE-2025-28242 WRITEUP CRITICAL WORKING POC
DAEnetIP4 METO v1.25 - Session Hijacking
Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session hijacking attack.
CVSS 9.8
CVE-2025-43953 WRITEUP HIGH WORKING POC
2wcom IP-4c 2.16 - Authenticated Remote Code Execution via Ping or Traceroute Field
In 2wcom IP-4c 2.16, the web interface allows admin and manager users to execute arbitrary code as root via a ping or traceroute field on the TCP/IP screen.
CVSS 8.8
CVE-2025-45813 WRITEUP CRITICAL WORKING POC
ENENSYS IPGuard v2 2.10.0 - Use of Hard-coded Credentials
ENENSYS IPGuard v2 2.10.0 was discovered to contain hardcoded credentials.
CVSS 9.8
CVE-2025-45814 WRITEUP CRITICAL WORKING POC
NovelSat NS3000 and NS2000 Firmware - Unauthenticated Session Hijacking via query.fcgi Endpoint
Missing authentication checks in the query.fcgi endpoint of NS3000 v8.1.1.125110 , v7.2.8.124852 , and v7.x and NS2000 v7.02.08 allows attackers to execute a session hijacking attack.
CVSS 9.8
CVE-2025-57430 WRITEUP HIGH WORKING POC
Creacast Creabox Manager 4.4.4 - Unauthenticated Sensitive Information Exposure via /get Endpoint
Creacast Creabox Manager 4.4.4 exposes sensitive configuration data via a publicly accessible endpoint /get. When accessed, this endpoint returns internal configuration including the creacodec.lua file, which contains plaintext admin credentials.
CVSS 7.5
CVE-2025-57431 WRITEUP HIGH WORKING POC
Sound4 PULSE-ECO AES67 Firmware 1.22 - Remote Code Execution via Malicious Firmware Update Package
The Sound4 PULSE-ECO AES67 1.22 web-based management interface is vulnerable to Remote Code Execution (RCE) via a malicious firmware update package. The update mechanism fails to validate the integrity of manual.sh, allowing an attacker to inject arbitrary commands by modifying this script and repackaging the firmware.
CVSS 8.8
CVE-2025-57432 WRITEUP CRITICAL WORKING POC
Blackmagic Web Presenter 3.3 - Unauthenticated Remote Command Execution via Telnet Service
Blackmagic Web Presenter version 3.3 exposes a Telnet service on port 9977 that accepts unauthenticated commands. This service allows remote attackers to manipulate stream settings, including changing video modes and possibly altering device functionality. No credentials or authentication mechanisms are required to interact with the Telnet interface.
CVSS 9.8
CVE-2025-57433 WRITEUP MEDIUM WORKING POC
2wcom IP-4c 2.15.5 - Authenticated Exposure of Sensitive Information via /cwi/ajax_request/get_data.php
The 2wcom IP-4c 2.15.5 device's web interface includes an information disclosure vulnerability. By sending a crafted POST request to a specific endpoint (/cwi/ajax_request/get_data.php), an authenticated attacker (even with a low-privileged account like guest) can retrieve the hashed passwords for the admin, manager, and guest accounts. This significantly weakens the system's security posture, as these hashes could be cracked offline, granting attackers administrative access to the device.
CVSS 6.5
CVE-2025-57434 WRITEUP HIGH WORKING POC
Creacast Creabox Manager - Improper Authentication via Password Prefix Bypass
Creacast Creabox Manager contains a critical authentication flaw that allows an attacker to bypass login validation. The system grants access when the username is creabox and the password begins with the string creacast, regardless of what follows.
CVSS 8.8
CVE-2025-57437 WRITEUP CRITICAL WORKING POC
Blackmagic Web Presenter HD Firmware 3.3 - Unauthenticated Sensitive Information Exposure via Telnet Service
The Blackmagic Web Presenter HD firmware version 3.3 exposes sensitive information via an unauthenticated Telnet service on port 9977. When connected, the service reveals extensive device configuration data including: - Model, version, and unique identifiers - Network settings including IP, MAC, DNS - Current stream platform, stream key, and streaming URL - Audio/video configuration This data can be used to hijack live streams or perform network reconnaissance.
CVSS 9.8
CVE-2025-57438 WRITEUP MEDIUM WORKING POC
2wcom IP-4c 2.15.5 - Broken Access Control via Request Manipulation
The 2wcom IP-4c 2.15.5 device suffers from a Broken Access Control vulnerability. Certain sensitive endpoints are intended to be accessible only after the admin explicitly grants access to a manager-level account. However, a manager-level user can bypass these controls by intercepting and modifying requests.
CVSS 6.8
CVE-2025-57439 WRITEUP HIGH WORKING POC
Creacast Creabox Manager 4.4.4 - Authenticated Remote Code Execution via edit.php Lua Injection
Creacast Creabox Manager 4.4.4 contains a critical Remote Code Execution vulnerability accessible via the edit.php endpoint. An authenticated attacker can inject arbitrary Lua code into the configuration, which is then executed on the server. This allows full system compromise, including reverse shell execution or arbitrary command execution.
CVSS 8.8