Overview CVE-2025-33191 is a medium severity vulnerability affecting NVIDIA DGX Spark GB10 systems. This flaw resides within the OSROOT firmware and could allow a malicious actor to trigger an invalid memory read, potentially leading to a denial-of-service (DoS) condition. This article provides a comprehensive overview of the vulnerability, its technical details, potential impact, and recommended mitigation steps. Technical Details The vulnerability stems from insufficient input validation within the OSROOT firmware of the NVIDIA DGX Spark GB10. Specifically, a crafted input can cause the system to attempt to read from an invalid memory address. This invalid memory read can lead to…
-
-
Overview CVE-2025-33190 is a medium severity vulnerability identified in the SROOT firmware of NVIDIA DGX Spark GB10. This flaw allows a potential attacker to trigger an out-of-bound write, which could lead to a range of detrimental outcomes. This article provides a detailed analysis of the vulnerability, its potential impact, and recommended mitigation strategies. Technical Details The vulnerability stems from insufficient boundary checks within the SROOT firmware of the NVIDIA DGX Spark GB10. By exploiting this weakness, an attacker can write data beyond the allocated memory buffer. This out-of-bound write can overwrite adjacent memory regions, potentially corrupting data or overwriting executable…
-
Overview A high-severity vulnerability, identified as CVE-2025-33189, has been discovered in the SROOT firmware of NVIDIA DGX Spark GB10 systems. This vulnerability allows a potential attacker to perform an out-of-bounds write, potentially leading to severe consequences including code execution, data tampering, denial of service, information disclosure, or even privilege escalation. This article provides a detailed overview of the vulnerability, its potential impact, and recommended mitigation steps. Technical Details CVE-2025-33189 stems from an insecure handling of data within the SROOT firmware of NVIDIA DGX Spark GB10. The out-of-bounds write vulnerability occurs due to insufficient bounds checking when processing specific data inputs.…
-
Overview A high-severity vulnerability, identified as CVE-2025-33188, has been discovered in the NVIDIA DGX Spark GB10 hardware. This vulnerability allows an attacker to potentially tamper with hardware controls, leading to serious security consequences. This article provides a detailed analysis of the vulnerability, its potential impact, and necessary mitigation steps. Technical Details CVE-2025-33188 stems from a flaw in the hardware resource management of the NVIDIA DGX Spark GB10. Specifically, insufficient access controls on certain hardware components enable unauthorized modification of critical parameters. Successful exploitation could allow an attacker to manipulate device behavior at a low level, bypassing software-based security mechanisms. CVSS…
-
Overview CVE-2025-33187 is a critical vulnerability affecting NVIDIA DGX Spark GB10 systems. This flaw resides within the SROOT component and could allow an attacker with privileged access to bypass security measures and gain unauthorized access to protected areas of the System on a Chip (SoC). Technical Details The vulnerability in SROOT allows an attacker with sufficient privileges to potentially manipulate or access sensitive data within the SoC’s protected regions. This could be achieved through crafted requests or exploitation of insecure access control mechanisms. The specific attack vector and required prerequisites are detailed in NVIDIA’s advisory. Understanding the intricacies of SROOT’s…
-
Overview CVE-2025-13483 identifies a significant authentication bypass vulnerability affecting SiRcom SMART Alert (SiSA). This flaw allows an unauthenticated attacker to gain unauthorized access to backend APIs, effectively bypassing the login screen and gaining access to restricted functionalities within the application. This vulnerability has been published on 2025-11-25 and is detailed in the CISA advisory linked below. Technical Details The vulnerability in SiRcom SMART Alert (SiSA) stems from insufficient authentication controls on backend APIs. An attacker can exploit this by utilizing browser developer tools (e.g., inspecting network requests or modifying local storage) to manipulate requests and bypass the login mechanism. By…
-
Overview CVE-2025-64061 details a significant vulnerability in Primakon Pi Portal version 1.0.18. This flaw exposes sensitive user data, including password hashes, to unauthorized access. The issue stems from deficient access control mechanisms within the /api/v2/users endpoint. Any authenticated user, regardless of their privilege level, can retrieve a complete list of all registered application users and their associated data, posing a serious security risk. Technical Details The vulnerability lies in the lack of proper access control checks on the /api/v2/users API endpoint. An authenticated user can send a simple GET request to this endpoint and receive a JSON response containing a…
-
Overview CVE-2025-63729 is a critical security vulnerability affecting Syrotech SY-GPON-1110-WDONT routers running firmware version SYRO_3.7L_3.1.02-240517. This vulnerability allows attackers to extract sensitive information, including the SSL Private Key, CA Certificate, SSL Certificate, and Client Certificates, from the firmware located in the /etc folder. This exposure poses a significant risk to the confidentiality and integrity of communications secured by these certificates. Technical Details The vulnerability stems from insufficient access control and protection mechanisms for sensitive files within the router’s firmware. Specifically, the SSL Private Key, CA Certificate, SSL Certificate, and Client Certificates are stored in .pem format within the /etc directory,…
-
Overview A high-severity Remote Code Execution (RCE) vulnerability, identified as CVE-2025-64050, has been discovered in REDAXO CMS version 5.20.0. This vulnerability allows authenticated administrators to execute arbitrary operating system commands by injecting malicious PHP code into an active template. The injected code is then executed whenever a visitor accesses a frontend page using the compromised template. Technical Details The vulnerability resides within the template management component of REDAXO CMS. An authenticated administrator can modify a template, injecting PHP code within the template’s source. This code is then parsed and executed by the server when the template is rendered for frontend…
-
Overview A stored cross-site scripting (XSS) vulnerability has been discovered in REDAXO CMS version 5.20.0, specifically within the module management component. This flaw, identified as CVE-2025-64049, allows attackers to inject malicious JavaScript code into the system through the “Output code” field of a module. When a legitimate user views or edits an article that incorporates a slice utilizing the compromised module, the injected script executes, potentially leading to account compromise, data theft, or website defacement. Technical Details The vulnerability resides in the lack of proper sanitization of user-supplied input within the module’s “Output code” field. Attackers can insert arbitrary HTML…