NVD や CVE、ほか複数の脅威フィードを束ね、RCE など高リスクな事象を深く追える一覧です。CVSS と EPSS を組み合わせ、Exploit 参照や PoC の有無から悪用しやすさを追跡します。ベンダー修正や緩和策の文脈とあわせて優先度を決め、対応サイクルを短く保ちつつ重要資産を守る支援をします。
Assigner(CNA/発行元):[email protected] この条件を外す
| CVE | 説明 | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|
| CVE-2025-41735 | A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution. | 8.8 | 0.50% | 2025-11-18 | 2026-06-17 |
| CVE-2025-41734 | An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices. | 9.8 | 0.46% | 2025-11-18 | 2026-06-17 |
| CVE-2025-41733 | The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials. | 9.8 | 0.56% | 2025-11-18 | 2026-06-17 |
| CVE-2025-41731 | A vulnerability was identified in the password generation algorithm when accessing the debug-interface. An unauthenticated local attacker with knowledge of the password generation timeframe might be able to brute force the password in a timely manner and thus gain root access to the device if the debug interface is still enabled. | 7.4 | 0.11% | 2025-11-10 | 2026-06-17 |
| CVE-2025-41724 | An unauthenticated remote attacker can crash the wscserver by sending incomplete SOAP requests. The wscserver process will not be restarted by a watchdog and a device reboot is necessary to make it work again. | 7.5 | 0.40% | 2025-10-22 | 2026-06-17 |
| CVE-2025-41723 | The importFile SOAP method is vulnerable to a directory traversal attack. An unauthenticated remote attacker bypass the path restriction and upload files to arbitrary locations. | 9.8 | 1.23% | 2025-10-22 | 2026-06-17 |
| CVE-2025-41722 | The wsc server uses a hard-coded certificate to check the authenticity of SOAP messages. An unauthenticated remote attacker can extract private keys from the Software of the affected devices. | 7.5 | 0.23% | 2025-10-22 | 2026-06-17 |
| CVE-2025-41721 | A high privileged remote attacker can influence the parameters passed to the openssl command due to improper neutralization of special elements when adding a password protected self-signed certificate. | 2.7 | 0.17% | 2025-10-22 | 2026-06-17 |
| CVE-2025-41720 | A low privileged remote attacker can upload arbitrary data masked as a png file to the affected device using the webserver API because only the file extension is verified. | 4.3 | 0.15% | 2025-10-22 | 2026-06-17 |
| CVE-2025-41719 | A low privileged remote attacker can corrupt the webserver users storage on the device by setting a sequence of unsupported characters which leads to deletion of all previously configured users and the creation of the default Administrator with a known default password. | 8.8 | 0.46% | 2025-10-22 | 2026-06-17 |
| CVE-2025-41718 | A cleartext transmission of sensitive information vulnerability in the affected products allows an unauthorized remote attacker to gain login credentials and access the Web-UI. | 7.5 | 0.24% | 2025-10-14 | 2026-06-17 |
| CVE-2025-41699 | An low privileged remote attacker with an account for the Web-based management can change the system configuration to perform a command injection as root, resulting in a total loss of confidentiality, availability and integrity due to improper control of generation of code ('Code Injection'). | 8.8 | 0.88% | 2025-10-14 | 2026-06-17 |
| CVE-2025-41707 | The websocket handler is vulnerable to a denial of service condition. An unauthenticated remote attacker can send a crafted websocket message to trigger the issue without affecting the core functionality. | 5.3 | 1.44% | 2025-10-14 | 2026-06-17 |
| CVE-2025-41706 | The webserver is vulnerable to a denial of service condition. An unauthenticated remote attacker can craft a special GET request with an over-long content-length to trigger the issue without affecting the core functionality. | 5.3 | 1.70% | 2025-10-14 | 2026-06-17 |
| CVE-2025-41705 | An unauthenticated remote attacker (MITM) can intercept the websocket messages to gain access to the login credentials for the Webfrontend. | 6.8 | 0.42% | 2025-10-14 | 2026-06-17 |
| CVE-2025-41704 | An unauthanticated remote attacker can perform a DoS of the Modbus service by sending a specific function and sub-function code without affecting the core functionality. | 5.3 | 1.50% | 2025-10-14 | 2026-06-17 |
| CVE-2025-41703 | An unauthenticated remote attacker can cause a Denial of Service by turning off the output of the UPS via Modbus command. | 7.5 | 1.00% | 2025-10-14 | 2026-06-17 |
| CVE-2025-41716 | The web application allows an unauthenticated remote attacker to learn information about existing user accounts with their corresponding role due to missing authentication for critical function. | 5.3 | 0.37% | 2025-09-24 | 2026-06-17 |
| CVE-2025-41715 | The database for the web application is exposed without authentication, allowing an unauthenticated remote attacker to gain unauthorized access and potentially compromise it. | 9.8 | 0.47% | 2025-09-24 | 2026-06-17 |
| CVE-2025-41713 | During a short time frame while the device is booting an unauthenticated remote attacker can send traffic to unauthorized networks due to the switch operating in an undefined state until a CPU-induced reset allows proper configuration. | 6.5 | 0.35% | 2025-09-15 | 2026-06-17 |