Security
Headlines
HeadlinesLatestCVEs

Tag

#rce

GHSA-hjq4-87xh-g4fv: vLLM Allows Remote Code Execution via PyNcclPipe Communication Service

### Impacted Environments This issue ONLY impacts environments using the `PyNcclPipe` KV cache transfer integration with the V0 engine. No other configurations are affected. ### Summary vLLM supports the use of the `PyNcclPipe` class to establish a peer-to-peer communication domain for data transmission between distributed nodes. The GPU-side KV-Cache transmission is implemented through the `PyNcclCommunicator` class, while CPU-side control message passing is handled via the `send_obj` and `recv_obj` methods on the CPU side.​ A remote code execution vulnerability exists in the `PyNcclPipe` service. Attackers can exploit this by sending malicious serialized data to gain server control privileges. The intention was that this interface should only be exposed to a private network using the IP address specified by the `--kv-ip` CLI parameter. The vLLM documentation covers how this must be limited to a secured network: https://docs.vllm.ai/en/latest/deployment/security.html Unfortunat...

ghsa
#vulnerability#git#rce
Schneider Electric Galaxy VS, Galaxy VL, Galaxy VXL

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: Galaxy VS, Galaxy VL, Galaxy VXL Vulnerability: Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to perform unauthenticated remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Schneider Electric products are affected: Galaxy VS: All versions Galaxy VL: All versions Galaxy VXL: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306 Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute a...

Vertiv Liebert RDU101 and UNITY

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Vertiv Equipment: Liebert RDU101 and Liebert UNITY Vulnerabilities: Authentication Bypass Using an Alternate Path or Channel, Stack-based Buffer Overflow 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition or achieve remote code execution 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Vertiv products are affected: Liebert RDU101: Versions 1.9.0.0 and prior Liebert IS-UNITY: Versions 8.4.1.0 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL CWE-288 Affected Vertiv products do not properly protect webserver functions that could allow an attacker to bypass authentication. CVE-2025-46412 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). A CVSS v...

GHSA-5rjg-fvgr-3xxf: setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write

### Summary A path traversal vulnerability in `PackageIndex` was fixed in setuptools version 78.1.1 ### Details ``` def _download_url(self, url, tmpdir): # Determine download filename # name, _fragment = egg_info_for_url(url) if name: while '..' in name: name = name.replace('..', '.').replace('\\', '_') else: name = "__downloaded__" # default if URL has no path contents if name.endswith('.[egg.zip](http://egg.zip/)'): name = name[:-4] # strip the extra .zip before download --> filename = os.path.join(tmpdir, name) ``` Here: https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88 `os.path.join()` discards the first argument `tmpdir` if the second begins with a slash or drive letter. `name` is derived from a URL without sufficient sanitization. While there is some attempt to sanitize by replacing instanc...

ABB Cylon FLXeon 9.3.5 (siteGuide.js) Authenticated Root Remote Code Execution

The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated remote root code execution via the /api/siteGuide endpoint. An attacker with valid credentials can inject arbitrary system commands by manipulating the filename and/or originalname parameters. The issue arises due to improper input validation in siteGuide.js, where user-supplied data is executed via ChildProcess.exec() without adequate sanitization.

Ivanti EPMM Hit by Two Actively Exploited 0day Vulnerabilities

Ivanti EPMM users urgently need to patch against actively exploited 0day vulnerabilities (CVE-2025-4427, CVE-2025-4428) that enable pre-authenticated remote…

GHSA-g5mq-prx7-c588: motionEye vulnerable to RCE in add_camera Function Due to unsafe command execution

### Summary Using a constructed (camera) device path with the `config/add`/`add_camera` motionEye web API allows an attacker with motionEye admin user credentials to execute any UNIX shell code within a non-interactive shell as executing user of the motionEye instance, `motion` by default. #### function call stack 1. `post` 2. `add_camera` 3. `config.add_camera` 4. `v4l2ctl.list_resolutions` 5. `utils.call_subprocess` 6. `subprocess.run` ### PoC #### build ```sh RUN_USER="user" RUN_UID=$(id -u ${RUN_USER}) RUN_GID=$(id -g ${RUN_USER}) TIMESTAMP="$(date '+%Y%m%d-%H%M')" docker build \ --network host \ --build-arg="RUN_UID=${RUN_UID?}" \ --build-arg="RUN_GID=${RUN_GID?}" \ -t "${USER?}/motioneye:${TIMESTAMP}" \ --no-cache \ -f docker/Dockerfile . ``` #### reproduce Run: ```sh docker run --rm -d -p 8765:8765 --hostname="motioneye" -v /etc/localtime:/etc/localtime:ro -v /tmp/motioneyeconfig:/etc/motioneye -v /tmp/motioneyeconfig:/var/lib/motioneye ``` ```console ...

Siemens INTRALOG WMS

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: INTRALOG WMS Vulnerabilities: Cleartext Transmission of Sensitive Information, Uncontrolled Resource Consumption, Use After Free, Improper Link Resolution Before File Access ('Link Following'), Improper Input Validation, Inefficient Algorithmic Complexity 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to bypass security features, cause a denial-of-service condition, or execute arbitrary code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Siemens INTRALOG WM...

GHSA-f4rq-f4j9-f6rm: Apache IoTDB Vulnerable to Remote Code Execution

Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has privilege to create UDF can register malicious function from untrusted URI. This issue affects Apache IoTDB: from 1.0.0 before 1.3.4. Users are recommended to upgrade to version 1.3.4, which fixes the issue.