NVD や CVE、ほか複数の脅威フィードを束ね、RCE など高リスクな事象を深く追える一覧です。CVSS と EPSS を組み合わせ、Exploit 参照や PoC の有無から悪用しやすさを追跡します。ベンダー修正や緩和策の文脈とあわせて優先度を決め、対応サイクルを短く保ちつつ重要資産を守る支援をします。
Assigner(CNA/発行元):[email protected] この条件を外す
| CVE | 説明 | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|
| CVE-2025-24005 | A local attacker with a local user account can leverage a vulnerable script via SSH to escalate privileges to root due to improper input validation. | 7.8 | 0.07% | 2025-07-08 | 2026-06-17 |
| CVE-2025-24004 | A physical attacker with access to the device display via USB-C can send a message to the device which triggers an unsecure copy to a buffer resulting in loss of integrity and a temporary denial-of-service for the stations until they got restarted by the watchdog. | 5.2 | 0.16% | 2025-07-08 | 2026-06-17 |
| CVE-2025-24003 | An unauthenticated remote attacker can use MQTT messages to trigger out-of-bounds writes in charging stations complying with German Calibration Law, resulting in a loss of integrity for only EichrechtAgents and potential denial-of-service for these stations. | 8.2 | 0.34% | 2025-07-08 | 2026-06-17 |
| CVE-2025-24002 | An unauthenticated remote attacker can use MQTT messages to crash a service on charging stations complying with German Calibration Law, resulting in a temporary denial-of-service for these stations until they got restarted by the watchdog. | 5.3 | 0.35% | 2025-07-08 | 2026-06-17 |
| CVE-2025-3705 | A physical attacker with no privileges can gain full control of the affected device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') when loading a config file from a USB drive. | 6.8 | 0.78% | 2025-07-07 | 2026-06-17 |
| CVE-2025-3626 | A remote attacker with administrator account can gain full control of the device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') while uploading a config file via webUI. | 9.1 | 0.89% | 2025-07-07 | 2026-06-17 |
| CVE-2025-41672 | A remote unauthenticated attacker may use default certificates to generate JWT Tokens and gain full access to the tool and all connected devices. | 10.0 | 0.34% | 2025-07-07 | 2026-06-17 |
| CVE-2025-41656 | An unauthenticated remote attacker can run arbitrary commands on the affected devices with high privileges because the authentication for the Node_RED server is not configured by default. | 10.0 | 9.95% | 2025-07-01 | 2026-06-17 |
| CVE-2025-41648 | An unauthenticated remote attacker can bypass the login to the web application of the affected devices making it possible to access and change all available settings of the IndustrialPI. | 9.8 | 0.70% | 2025-07-01 | 2026-06-17 |
| CVE-2024-8419 | The endpoint hosts a script that allows an unauthorized remote attacker to put the system in a fail-safe state over the network due to missing authentication. | 7.5 | 0.41% | 2025-06-30 | 2026-06-17 |
| CVE-2025-41647 | A local, low-privileged attacker can learn the password of the connected controller in PLC Designer V4 due to an incorrect implementation that results in the password being displayed in plain text under special conditions. | 5.5 | 0.09% | 2025-06-25 | 2026-06-17 |
| CVE-2025-3092 | An unauthenticated remote attacker can enumerate valid user names from an unprotected endpoint. | 7.5 | 0.41% | 2025-06-24 | 2026-06-17 |
| CVE-2025-3091 | An low privileged remote attacker in possession of the second factor for another user can login as that user without knowledge of the other user`s password. | 7.5 | 0.32% | 2025-06-24 | 2026-06-17 |
| CVE-2025-3090 | An unauthenticated remote attacker can obtain limited sensitive information and/or DoS the device due to missing authentication for critical function. | 8.2 | 0.41% | 2025-06-24 | 2026-06-17 |
| CVE-2025-25265 | A web application for configuring the controller is accessible at a specific path. It contains an endpoint that allows a high privileged remote attacker to read files from the system’s file structure. | 4.9 | 0.40% | 2025-06-16 | 2026-06-17 |
| CVE-2025-25264 | An unauthenticated remote attacker can trick an admin to visit a website containing malicious java script code. The current overly permissive CORS policy allows the attacker to obtain any files from the file system. | 6.5 | 0.39% | 2025-06-16 | 2026-06-17 |
| CVE-2025-41663 | For u-link Management API an unauthenticated remote attacker in a man-in-the-middle position can inject arbitrary commands in responses returned by WWH servers, which are then executed with elevated privileges. To get into such a position, clients would need to use insecure proxy configurations. | 9.8 | 0.55% | 2025-06-11 | 2026-06-17 |
| CVE-2025-41662 | Rejected reason: CVE-2025-41662 is considered redundant or unnecessary and thus should be withdrawn. Instead, a new CVE CVE-2025-41687 has been reserved to better reflect the updated analysis. | 該当なし | 0.07% | 2025-06-11 | 2025-07-23 |
| CVE-2025-41661 | An unauthenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of Cross-Site Request Forgery (CSRF) protection. | 8.8 | 0.26% | 2025-06-11 | 2026-06-17 |
| CVE-2025-41657 | Due to an undocumented active bluetooth stack on products delivered within the period 01.01.2024 to 09.05.2025 fingerprinting is possible by an unauthenticated adjacent attacker. | 4.3 | 0.17% | 2025-06-10 | 2026-06-17 |