Aggregating NVD, CVE, and multi-source threat feeds, this list provides deep analysis of high-risk threats such as RCE. By integrating CVSS and EPSS models, the system dynamically tracks Exp (Exploit) resources and PoC availability to accurately assess Exploitability. Combined with official Patches and remediation strategies, it helps prioritize Vulnerability Management workflows, significantly shortening response cycles and securing your critical assets.
Assigner (CNA / source):[email protected] Remove this filter
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2025-24004 | A physical attacker with access to the device display via USB-C can send a message to the device which triggers an unsecure copy to a buffer resulting in loss of integrity and a temporary denial-of-service for the stations until they got restarted by the watchdog. | 5.2 | 0.16% | 2025-07-08 | 2026-06-17 |
| CVE-2025-24003 | An unauthenticated remote attacker can use MQTT messages to trigger out-of-bounds writes in charging stations complying with German Calibration Law, resulting in a loss of integrity for only EichrechtAgents and potential denial-of-service for these stations. | 8.2 | 0.34% | 2025-07-08 | 2026-06-17 |
| CVE-2025-24002 | An unauthenticated remote attacker can use MQTT messages to crash a service on charging stations complying with German Calibration Law, resulting in a temporary denial-of-service for these stations until they got restarted by the watchdog. | 5.3 | 0.35% | 2025-07-08 | 2026-06-17 |
| CVE-2025-3705 | A physical attacker with no privileges can gain full control of the affected device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') when loading a config file from a USB drive. | 6.8 | 0.78% | 2025-07-07 | 2026-06-17 |
| CVE-2025-3626 | A remote attacker with administrator account can gain full control of the device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') while uploading a config file via webUI. | 9.1 | 0.89% | 2025-07-07 | 2026-06-17 |
| CVE-2025-41672 | A remote unauthenticated attacker may use default certificates to generate JWT Tokens and gain full access to the tool and all connected devices. | 10.0 | 0.34% | 2025-07-07 | 2026-06-17 |
| CVE-2025-41656 | An unauthenticated remote attacker can run arbitrary commands on the affected devices with high privileges because the authentication for the Node_RED server is not configured by default. | 10.0 | 9.95% | 2025-07-01 | 2026-06-17 |
| CVE-2025-41648 | An unauthenticated remote attacker can bypass the login to the web application of the affected devices making it possible to access and change all available settings of the IndustrialPI. | 9.8 | 0.70% | 2025-07-01 | 2026-06-17 |
| CVE-2024-8419 | The endpoint hosts a script that allows an unauthorized remote attacker to put the system in a fail-safe state over the network due to missing authentication. | 7.5 | 0.41% | 2025-06-30 | 2026-06-17 |
| CVE-2025-41647 | A local, low-privileged attacker can learn the password of the connected controller in PLC Designer V4 due to an incorrect implementation that results in the password being displayed in plain text under special conditions. | 5.5 | 0.09% | 2025-06-25 | 2026-06-17 |
| CVE-2025-3092 | An unauthenticated remote attacker can enumerate valid user names from an unprotected endpoint. | 7.5 | 0.41% | 2025-06-24 | 2026-06-17 |
| CVE-2025-3091 | An low privileged remote attacker in possession of the second factor for another user can login as that user without knowledge of the other user`s password. | 7.5 | 0.32% | 2025-06-24 | 2026-06-17 |
| CVE-2025-3090 | An unauthenticated remote attacker can obtain limited sensitive information and/or DoS the device due to missing authentication for critical function. | 8.2 | 0.41% | 2025-06-24 | 2026-06-17 |
| CVE-2025-25265 | A web application for configuring the controller is accessible at a specific path. It contains an endpoint that allows a high privileged remote attacker to read files from the system’s file structure. | 4.9 | 0.40% | 2025-06-16 | 2026-06-17 |
| CVE-2025-25264 | An unauthenticated remote attacker can trick an admin to visit a website containing malicious java script code. The current overly permissive CORS policy allows the attacker to obtain any files from the file system. | 6.5 | 0.39% | 2025-06-16 | 2026-06-17 |
| CVE-2025-41663 | For u-link Management API an unauthenticated remote attacker in a man-in-the-middle position can inject arbitrary commands in responses returned by WWH servers, which are then executed with elevated privileges. To get into such a position, clients would need to use insecure proxy configurations. | 9.8 | 0.55% | 2025-06-11 | 2026-06-17 |
| CVE-2025-41662 | Rejected reason: CVE-2025-41662 is considered redundant or unnecessary and thus should be withdrawn. Instead, a new CVE CVE-2025-41687 has been reserved to better reflect the updated analysis. | N/A | 0.07% | 2025-06-11 | 2025-07-23 |
| CVE-2025-41661 | An unauthenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of Cross-Site Request Forgery (CSRF) protection. | 8.8 | 0.26% | 2025-06-11 | 2026-06-17 |
| CVE-2025-41657 | Due to an undocumented active bluetooth stack on products delivered within the period 01.01.2024 to 09.05.2025 fingerprinting is possible by an unauthenticated adjacent attacker. | 4.3 | 0.17% | 2025-06-10 | 2026-06-17 |
| CVE-2025-41646 | An unauthorized remote attacker can bypass the authentication of the affected software package by misusing an incorrect type conversion. This leads to full compromise of the device | 9.8 | 40.73% | 2025-06-06 | 2026-06-17 |