Total
1262 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-54849 | 1 Cpplusworld | 2 Cp-vnr-3104, Cp-vnr-3104 Firmware | 2025-10-02 | 5.9 Medium |
| An issue in CP Plus CP-VNR-3104 B3223P22C02424 allows attackers to obtain the second RSA private key and access sensitive data or execute a man-in-the-middle attack. | ||||
| CVE-2024-5918 | 1 Paloaltonetworks | 1 Pan-os | 2025-10-01 | 4.3 Medium |
| An improper certificate validation vulnerability in Palo Alto Networks PAN-OS software enables an authorized user with a specially crafted client certificate to connect to an impacted GlobalProtect portal or GlobalProtect gateway as a different legitimate user. This attack is possible only if you "Allow Authentication with User Credentials OR Client Certificate." | ||||
| CVE-2025-39205 | 2025-10-01 | 6.5 Medium | ||
| A vulnerability exists in the IEC 61850 in MicroSCADA X SYS600 product. The certificate validation of the TLS protocol allows remote Man-in-the-Middle attack due to missing proper validation. | ||||
| CVE-2024-23970 | 1 Chargepoint | 6 Home Flex Hardwired, Home Flex Hardwired Firmware, Home Flex Nema 14-50 Plug and 3 more | 2025-09-30 | 6.5 Medium |
| This vulnerability allows network-adjacent attackers to compromise transport security on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the CURLOPT_SSL_VERIFYHOST setting. The issue results from the lack of proper validation of the certificate presented by the server. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. | ||||
| CVE-2025-35434 | 1 Cisa | 1 Thorium | 2025-09-30 | 4.2 Medium |
| CISA Thorium does not validate TLS certificates when connecting to Elasticsearch. An unauthenticated attacker with access to a Thorium cluster could impersonate the Elasticsearch service. Fixed in 1.1.2. | ||||
| CVE-2024-52330 | 1 Ecovacs | 40 Deebot T10, Deebot T10 Firmware, Deebot T10 Omni and 37 more | 2025-09-23 | 7.4 High |
| ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates. | ||||
| CVE-2024-52329 | 1 Ecovacs | 1 Home | 2025-09-23 | 7.4 High |
| ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens. | ||||
| CVE-2025-58123 | 2 Checkmk, Oetiker | 2 Checkmk, Bgp Monitoring | 2025-09-23 | 4.8 Medium |
| Improper Certificate Validation in Checkmk Exchange plugin BGP Monitoring allows attackers in MitM position to intercept traffic. | ||||
| CVE-2025-58125 | 2 Checkmk, Pawelko | 2 Checkmk, Freebox V6 Agent | 2025-09-23 | 4.8 Medium |
| Improper Certificate Validation in Checkmk Exchange plugin Freebox v6 agent allows attackers in MitM position to intercept traffic. | ||||
| CVE-2025-58126 | 3 Checkmk, Tomtretbar, Vmware | 3 Checkmk, Vmware Vsan, Vma | 2025-09-23 | 4.8 Medium |
| Improper Certificate Validation in Checkmk Exchange plugin VMware vSAN allows attackers in MitM position to intercept traffic. | ||||
| CVE-2025-58127 | 2 Checkmk, Tomtretbar | 2 Checkmk, Dell Powerscale | 2025-09-23 | 4.8 Medium |
| Improper Certificate Validation in Checkmk Exchange plugin Dell Powerscale allows attackers in MitM position to intercept traffic. | ||||
| CVE-2024-48865 | 1 Qnap | 2 Qts, Quts Hero | 2025-09-23 | 7.5 High |
| An improper certificate validation vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow attackers with local network access to compromise the security of the system. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later | ||||
| CVE-2024-47619 | 2 Debian, Oneidentity | 2 Debian Linux, Syslog-ng | 2025-09-22 | 7.5 High |
| syslog-ng is an enhanced log daemo. Prior to version 4.8.2, `tls_wildcard_match()` matches on certificates such as `foo.*.bar` although that is not allowed. It is also possible to pass partial wildcards such as `foo.a*c.bar` which glib matches but should be avoided / invalidated. This issue could have an impact on TLS connections, such as in man-in-the-middle situations. Version 4.8.2 contains a fix for the issue. | ||||
| CVE-2025-30278 | 1 Qnap | 1 Qsync Central | 2025-09-19 | 8.8 High |
| An improper certificate validation vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: Qsync Central 4.5.0.7 ( 2025/04/23 ) and later | ||||
| CVE-2025-30277 | 1 Qnap | 1 Qsync Central | 2025-09-19 | 8.8 High |
| An improper certificate validation vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: Qsync Central 4.5.0.7 ( 2025/04/23 ) and later | ||||
| CVE-2025-59347 | 2 Dragonflyoss, Linuxfoundation | 2 Dragonfly2, Dragonfly | 2025-09-18 | 6.5 Medium |
| Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The Manager disables TLS certificate verification in HTTP clients. The clients are not configurable, so users have no way to re-enable the verification. A Manager processes dozens of preheat jobs. An adversary performs a network-level Man-in-the-Middle attack, providing invalid data to the Manager. The Manager preheats with the wrong data, which later causes a denial of service and file integrity problems. This vulnerability is fixed in 2.1.0. | ||||
| CVE-2025-59353 | 2 Dragonflyoss, Linuxfoundation | 2 Dragonfly2, Dragonfly | 2025-09-18 | 7.5 High |
| Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, a peer can obtain a valid TLS certificate for arbitrary IP addresses, effectively rendering the mTLS authentication useless. The issue is that the Manager’s Certificate gRPC service does not validate if the requested IP addresses “belong to” the peer requesting the certificate—that is, if the peer connects from the same IP address as the one provided in the certificate request. This vulnerability is fixed in 2.1.0. | ||||
| CVE-2025-30279 | 1 Qnap | 1 File Station | 2025-09-17 | 8.8 High |
| An improper certificate validation vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later | ||||
| CVE-2025-33031 | 1 Qnap | 1 File Station | 2025-09-17 | 8.8 High |
| An improper certificate validation vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later | ||||
| CVE-2025-58781 | 2025-09-15 | N/A | ||
| WTW-EAGLE App does not properly validate server certificates, which may allow a man-in-the-middle attacker to monitor encrypted traffic. | ||||