Mohamed Shahat

55 exploits Active since Feb 2025
CVE-2025-57440 WRITEUP HIGH WORKING POC
Blackmagic ATEM Mini Pro - Unauthenticated RCE
The Blackmagic ATEM Mini Pro 2.7 exposes an undocumented Telnet service on TCP port 9993, which accepts unauthenticated plaintext commands for controlling streaming, recording, formatting storage devices, and system reboot. This interface, referred to as the "ATEM Ethernet Protocol 1.0", provides complete device control without requiring credentials or encryption. An attacker on the same network (or with remote access to the exposed port) can exploit this interface to execute arbitrary streaming commands, erase disks, or shut down the device - effectively gaining full remote control.
CVSS 7.5
CVE-2025-57441 WRITEUP CRITICAL WORKING POC
Blackmagic ATEM Mini Pro 2.7 - Unauthenticated Sensitive Information Exposure via Telnet Port 9990
The Blackmagic ATEM Mini Pro 2.7 exposes sensitive device and stream configuration information via an unauthenticated Telnet service on port 9990. Upon connection, the attacker can access a protocol preamble that leaks the video mode, routing configuration, input/output labels, device model, and even internal identifiers such as the unique ID. This can be used for reconnaissance and planning further attacks.
CVSS 9.8
CVE-2025-63205 WRITEUP HIGH WORKING POC
Bridgetech probes <5.6.0-3 - Info Disclosure
An issue was discovered in bridgetech probes VB220 IP Network Probe,VB120 Embedded IP + RF Probe, VB330 High-Capacity Probe, VB440 ST 2110 Production Analytics Probe, and NOMAD, firmware versions 6.5.0-9, allowing attackers to gain sensitive information such as administrator passwords via the /probe/core/setup/passwd endpoint. NOTE: the Supplier disagrees that 6.5.0-9 is affected, and instead reports that 5.6.0-3 and earlier are affected, and 5.6.0-4 (2020-09-21) and later are fixed.
CVSS 7.5
CVE-2025-63206 WRITEUP CRITICAL WORKING POC
Dasan Switch DS2924 <1.02.00 - Auth Bypass
An authentication bypass issue was discovered in Dasan Switch DS2924 web based interface, firmware versions 1.01.18 and 1.02.00, allowing attackers to gain escalated privileges via storing crafted cookies in the web browser.
CVSS 9.8
CVE-2025-63207 WRITEUP CRITICAL WORKING POC
R.V.R Elettronica TEX - Auth Bypass
The R.V.R Elettronica TEX product (firmware TEXL-000400, Web GUI TLAN-000400) is vulnerable to broken access control due to improper authentication checks on the /_Passwd.html endpoint. An attacker can send an unauthenticated POST request to change the Admin, Operator, and User passwords, resulting in complete system compromise.
CVSS 9.8
CVE-2025-63208 WRITEUP HIGH WORKING POC
Bridgetech VB288 <5.6.0-8 - Info Disclosure
An issue was discovered in bridgetech VB288 Objective QoE Content Extractor, firmware version 5.6.0-8, allowing attackers to gain sensitive information such as administrator passwords via the /probe/core/setup/passwd endpoint.
CVSS 7.5
CVE-2025-63209 WRITEUP HIGH WORKING POC
ELCA Star Transmitter Remote Control firmware 1.25 - Info Disclosure
The ELCA Star Transmitter Remote Control firmware 1.25 for STAR150, BP1000, STAR300, STAR2000, STAR1000, STAR500, and possibly other models, contains an information disclosure vulnerability allowing unauthenticated attackers to retrieve admin credentials and system settings via an unprotected /setup.xml endpoint. The admin password is stored in plaintext under the <p05> XML tag, potentially leading to remote compromise of the transmitter system.
CVSS 7.5
CVE-2025-63210 WRITEUP CRITICAL WORKING POC
Newtec Celox UHD CELOXA504 and CELOXA820 Firmware - Authentication Bypass via /celoxservice Response Injection
The Newtec Celox UHD (models: CELOXA504, CELOXA820) running firmware version celox-21.6.13 is vulnerable to an authentication bypass. An attacker can exploit this issue by modifying intercepted responses from the /celoxservice endpoint. By injecting a forged response body during the loginWithUserName flow, the attacker can gain Superuser or Operator access without providing valid credentials.
CVSS 9.8
CVE-2025-63211 WRITEUP MEDIUM WORKING POC
Bridgetech VBC Server & Element Manager <6.5.0-10 - XSS
Stored cross-site scripting vulnerability in bridgetech VBC Server & Element Manager, firmware versions 6.5.0-9 thru 6.5.0-10, allows attackers to execute arbitrary code via the addName parameter to the /vbc/core/userSetupDoc/userSetupDoc endpoint.
CVSS 6.1
CVE-2025-63212 WRITEUP MEDIUM WORKING POC
GatesAir Flexiva-LX <2.0 - Info Disclosure
GatesAir Flexiva-LX devices on firmware 1.0.13 and 2.0, including models LX100, LX300, LX600, and LX1000, expose sensitive session identifiers (sid) in the publicly accessible log file located at /log/Flexiva%20LX.log. An unauthenticated attacker can retrieve valid session IDs and hijack sessions without providing any credentials. This attack requires the legitimate user (admin) to have previously closed the browser window without logging out.
CVSS 6.5
CVE-2025-63213 WRITEUP CRITICAL WORKING POC
QVidium Opera11 <2.9.0-Ax4x-opera11 - RCE
The QVidium Opera11 device (firmware version 2.9.0-Ax4x-opera11) is vulnerable to Remote Code Execution (RCE) due to improper input validation on the /cgi-bin/net_ping.cgi endpoint. An attacker can exploit this vulnerability by sending a specially crafted GET request with a malicious parameter to inject arbitrary commands. These commands are executed with root privileges, allowing attackers to gain full control over the device. This poses a significant security risk to any device running this software.
CVSS 9.8
CVE-2025-63214 WRITEUP MEDIUM WORKING POC
bridgetech VBC Server & Element Manager 6.5.0-9, 6.5.0-10 - Unauthenticated Arbitrary Account Creation and Deletion
An issue was discovered in bridgetech VBC Server & Element Manager, firmware version 6.5.0-10 , 6.5.0-9, allowing unauthorized attackers to delete and create arbitrary accounts.
CVSS 6.5
CVE-2025-63215 WRITEUP HIGH WORKING POC
Sound4 IMPACT Firmware - Remote Code Execution via Malicious Firmware Update Package
The Sound4 IMPACT web-based management interface is vulnerable to Remote Code Execution (RCE) via a malicious firmware update package. The update mechanism fails to validate the integrity of manual.sh, allowing an attacker to inject arbitrary commands by modifying this script and repackaging the firmware.
CVSS 7.2
CVE-2025-63216 WRITEUP CRITICAL WORKING POC
Itel DAB Gateway Firmware - Authentication Bypass via JWT Token Reuse
The Itel DAB Gateway (IDGat build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the passwords and networks are different. This allows full compromise of affected devices.
CVSS 10.0
CVE-2025-63217 WRITEUP CRITICAL WORKING POC
Itel ID MUX Firmware - Authentication Bypass via JWT Token Reuse
The Itel DAB MUX (IDMUX build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the passwords and networks are different. This allows full compromise of affected devices.
CVSS 9.8
CVE-2025-63218 WRITEUP CRITICAL WORKING POC
Axel Technology WOLF1MS and WOLF2MS <=1.0.3 - Unauthenticated Admin Access
The Axel Technology WOLF1MS and WOLF2MS devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device.
CVSS 9.8
CVE-2025-63219 WRITEUP HIGH WORKING POC
ITEL ISO FM SFN Adapter - Session Hijacking
The ITEL ISO FM SFN Adapter (firmware ISO2 2.0.0.0, WebServer 2.0) is vulnerable to session hijacking due to improper session management on the /home.html endpoint. An attacker can access an active session without authentication, allowing them to control the device, modify configurations, and compromise system integrity.
CVSS 7.5
CVE-2025-63220 WRITEUP HIGH WORKING POC
Sound4 FIRST - Remote Code Execution via Malicious Firmware Update Package
The Sound4 FIRST web-based management interface is vulnerable to Remote Code Execution (RCE) via a malicious firmware update package. The update mechanism fails to validate the integrity of manual.sh, allowing an attacker to inject arbitrary commands by modifying this script and repackaging the firmware.
CVSS 7.2
CVE-2025-63221 WRITEUP CRITICAL WORKING POC
Axel Technology puma <1.0.3 - Auth Bypass
The Axel Technology puma devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device.
CVSS 9.1
CVE-2025-63223 WRITEUP CRITICAL WORKING POC
Axel Technology StreamerMAX MK II <1.0.3 - Auth Bypass
The Axel Technology StreamerMAX MK II devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device.
CVSS 9.8
CVE-2025-63224 WRITEUP CRITICAL WORKING POC
Itel DAB Encoder <25aec8d - Auth Bypass
The Itel DAB Encoder (IDEnc build 25aec8d) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the passwords and networks are different. This allows full compromise of affected devices.
CVSS 10.0
CVE-2025-63225 WRITEUP CRITICAL WORKING POC
Eurolab ELTS100_UBX - Privilege Escalation
The Eurolab ELTS100_UBX device (firmware version ELTS100v1.UBX) is vulnerable to Broken Access Control due to missing authentication on critical administrative endpoints. Attackers can directly access and modify sensitive system and network configurations, upload firmware, and execute unauthorized actions without any form of authentication. This vulnerability allows remote attackers to fully compromise the device, control its functionality, and disrupt its operation.
CVSS 9.8
CVE-2025-63226 WRITEUP MEDIUM WORKING POC
Sencore SMP100 Firmware V4.2.160, V60.1.4, V60.1.29 - Unauthenticated Session Hijacking via UserManagement.html Endpoint
The Sencore SMP100 SMP Media Platform (firmware versions V4.2.160, V60.1.4, V60.1.29) is vulnerable to session hijacking due to improper session management on the /UserManagement.html endpoint. Attackers who are on the same network as the victim and have access to the target's logged-in session can access the endpoint and add new users without any authentication. This allows attackers to gain unauthorized access to the system and perform malicious activities.
CVSS 5.7
CVE-2025-63227 WRITEUP HIGH WORKING POC
DB Broadcast Mozart FM Transmitter WEBMOZZI-00287 - Authenticated Patch File Upload Code Execution
The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains an unrestricted file upload vulnerability in the /patch.php endpoint. An attacker with administrative credentials can upload arbitrary files (e.g., PHP webshells), which are stored in the /patch/ directory. This allows the attacker to execute arbitrary commands on the server, potentially leading to full system compromise.
CVSS 7.2
CVE-2025-63228 WRITEUP CRITICAL WORKING POC
DB Broadcast Mozart FM Transmitter WEBMOZZI-00287 - Unauthenticated File Upload Code Execution
The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains an unauthenticated file upload vulnerability in the /upload_file.php endpoint. An attacker can exploit this by sending a crafted POST request with a malicious file (e.g., a PHP webshell) to the server. The uploaded file is stored in the /upload/ directory, enabling remote code execution and full system compromise.
CVSS 9.8