NVD disclosure day

Published threat advisories for February 27, 2025

CVE advisoryCRITICAL

CVE-2024-55160

GFast OrderBy SQL Injection Vulnerability.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

GFast versions 2 through 3.2 contain a SQL injection vulnerability in the OrderBy parameter, allowing unauthenticated attackers to execute arbitrary SQL commands. This could lead to unauthorized access or modification of system operational logs, potentially impacting service integrity.

CVE advisoryCRITICAL

CVE-2024-51139

DrayTek Vigor Router Code Execution Vulnerability

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

A critical buffer overflow vulnerability exists in multiple DrayTek Vigor router models, allowing remote attackers to execute arbitrary code by sending specially crafted HTTP POST requests. This could compromise the router's functionality and the network it protects.

CVE advisoryCRITICAL

CVE-2024-51138

DrayTek Vigor Routers TR069 URL Parsing Stack Overflow Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A stack-based buffer overflow in the TR-069 STUN server's URL parsing function allows remote attackers to execute arbitrary code with elevated privileges by sending a crafted request. This vulnerability affects various DrayTek Vigor router models due to insufficient bounds checking on URL parameters.