CVSS 10 in Eclipse BaSyx, unauthenticated admin in OpenCTI, and a no-auth RCE in MeiG IoT

An integer overflow in libssh2's password authentication code could let an attacker corrupt memory during SSH authentication. Exploitation isn't trivial, but a successful attack could lead to code execution or a crash in any application that uses libssh2 for SSH connections. This affects libssh2 packages on Azure Linux 3.0 and CBL Mariner 2.0, including nmap builds that bundle it.

Included because

common library; memory corruption; CVSS 7.3; low EPSS indicates limited near-term exploitation risk

Affected estate

libssh2 1.11.1-1 and nmap 7.95-3 on Azure Linux 3.0; libssh2 1.9.0-4 and nmap 7.93-4 on CBL Mariner 2.0.

How to check

Run `rpm -q libssh2 nmap` or `tdnf list installed libssh2 nmap` to confirm installed versions.

Action

Run `tdnf update libssh2 nmap` to pull patched packages.

Urgency

Patch this week

Why it matters

Memory corruption during SSH auth could crash or compromise any tool using libssh2, including automated scanning and management scripts.

Source

NVD

The Realtek rtl8192cd Wi-Fi kernel driver ships debug ioctl handlers (read_mem and write_mem) in production builds with zero access control. A local attacker can use these to read or write arbitrary kernel memory, which is a straight path to privilege escalation or full device compromise. This affects all known versions of the Realtek rtl819x Jungle SDK through v3.4.14B, which means a huge number of consumer and embedded routers and access points.

Included because

kernel-level memory access; no access control; widespread embedded use; CVSS 7.7

Affected estate

Any device using the Realtek rtl819x Jungle SDK (all versions through v3.4.14B) with the rtl8192cd Wi-Fi kernel driver.

How to check

Identify devices using Realtek Wi-Fi chipsets in your inventory. Check firmware release notes or contact the device OEM to confirm whether the rtl819x Jungle SDK is in use.

Action

Apply vendor firmware updates when available. If no patch exists, limit local access and segment these devices away from sensitive networks.

Urgency

Patch this week

Why it matters

Kernel memory read/write with no access control gives a local attacker full control of the device, and exploitation requires only local access with no special privileges.

Source

NVD

An unauthenticated attacker can upload files to any location on the filesystem by abusing a path traversal bug in the Eclipse BaSyx Java Server SDK's Submodel HTTP API. A crafted fileName parameter during file upload lets the attacker write outside the intended directory, which leads directly to remote code execution. This is a CVSS 10.0: no authentication, no user interaction, full system compromise.

Included because

unauthenticated; remote code execution; path traversal; CVSS 10.0; no user interaction

Affected estate

Eclipse BaSyx Java Server SDK versions before 2.0.0-milestone-10, specifically instances exposing the Submodel HTTP API.

How to check

Check your BaSyx deployment version in the application's pom.xml, build manifest, or container image tag. Any version before 2.0.0-milestone-10 is vulnerable.

Action

Upgrade to Eclipse BaSyx Java Server SDK 2.0.0-milestone-10 or later. If you cannot upgrade immediately, restrict network access to the Submodel API endpoint.

Urgency

Patch immediately

Why it matters

Unauthenticated arbitrary file write equals remote code execution. CVSS 10.0 with no interaction required means any exposed instance is trivially compromisable.

Source

NVD

OpenCTI versions 6.6.0 through 6.9.12 have a privilege escalation bug that lets an unauthenticated attacker query the API as any existing user, including the default admin account. No credentials needed. If your OpenCTI instance is reachable, an attacker gets full admin access to your threat intelligence platform.

Included because

unauthenticated; privilege escalation to admin; CVSS 9.8; common security tool

Affected estate

OpenCTI instances running versions 6.6.0 through 6.9.12.

How to check

Check your OpenCTI version in the web UI footer or via the API. Any version from 6.6.0 to 6.9.12 inclusive is vulnerable.

Action

Upgrade to OpenCTI 6.9.13. If you can't upgrade right now, set APP__ADMIN__EXTERNALLY_MANAGED to disable the default admin account.

Urgency

Patch immediately

Why it matters

Unauthenticated API access as admin means full control of your threat intelligence data, including the ability to read, modify, or delete everything in the platform.

Source

NVD