4 min
Vulnerability Disclosure
Xerox Versalink C7025 Multifunction Printer: Pass-Back Attack Vulnerabilities (FIXED)
During security testing, Rapid7 discovered that Xerox Versalink C7025 Multifunction printers (MFPs) were vulnerable to pass-back attacks.
3 min
Vulnerability Disclosure
CVE-2025-1094: PostgreSQL psql SQL injection (FIXED)
Rapid7 discovered and is disclosing CVE-2025-1094, a high-severity SQL injection vulnerability affecting the PostgreSQL interactive tool psql.
4 min
IoT
Lorex 2K Indoor Wi-Fi Security Camera: Multiple Vulnerabilities (FIXED)
The Lorex 2K Indoor Wi-Fi Security Camera is a consumer security device that provides cloud-based video camera surveillance capabilities. This device was a target at the 2024 Pwn2Own IoT competition. As of December 3, 2024, we are disclosing these issues publicly in coordination with the vendor.
3 min
Vulnerability Disclosure
Multiple Vulnerabilities in Wowza Streaming Engine (Fixed)
Rapid7 is disclosing multiple vulnerabilities in Wowza Streaming Engine below v4.9.1. These vulnerabilities are tracked as CVE-2024-52052, CVE-2024-52053, CVE-2024-52054, CVE-2024-52055, and CVE-2024-52056. They are patched as of Wowza Streaming Engine v4.9.1.
17 min
Vulnerability Disclosure
CVE-2024-45195: Apache OFBiz Unauthenticated Remote Code Execution (Fixed)
Apache OFBiz below 18.12.16 is vulnerable to unauthenticated remote code execution (CVE-2024-45195) on Linux and Windows. Exploitation is facilitated by bypassing previous patches.
6 min
Vulnerability Disclosure
CVE-2024-6922: Automation Anywhere Automation 360 Server-Side Request Forgery
Automation 360 Robotic Process Automation suite v21-v32 is vulnerable to unauthenticated Server-Side Request Forgery (SSRF).
10 min
Managed Detection and Response (MDR)
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Justice AV Solutions (JAVS) is a U.S.-based company specializing in digital audio-visual recording solutions for courtroom environments.
Rapid7 has determined that users with JAVS Viewer v8.3.7 installed are at high risk and should take immediate action.
19 min
Emergent Threat Response
CVE-2024-27198 and CVE-2024-27199: JetBrains TeamCity Multiple Authentication Bypass Vulnerabilities (FIXED)
Rapid7’s vulnerability research team identified two new vulnerabilities affecting JetBrains TeamCity CI/CD server: CVE-2024-27198 and CVE-2024-27199, both of which are authentication bypasses.
11 min
Vulnerability Disclosure
CVE-2023-47218: QNAP QTS and QuTS Hero Unauthenticated Command Injection (FIXED)
Rapid7 has identified an unauthenticated command injection vulnerability in the QNAP operating system known as QTS, a core part of the firmware for numerous QNAP entry- and mid-level Network Attached Storage (NAS) devices.
1 min
Velociraptor
CVE-2023-5950 Rapid7 Velociraptor Reflected XSS
This advisory covers a specific issue identified in Velociraptor and disclosed by a security code review. Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability.
8 min
Vulnerability Disclosure
Multiple Vulnerabilities in South River Technologies Titan MFT and Titan SFTP [FIXED]
As part of our continuing research project into managed file transfer risk, including JSCAPE MFT and Fortra Globalscape EFT Server, Rapid7 discovered several vulnerabilities in South River Technologies’ Titan MFT and Titan SFTP servers.
4 min
Vulnerability Disclosure
CVE-2023-4528: Java Deserialization Vulnerability in JSCAPE MFT (Fixed)
In August 2023, Rapid7 discovered CVE-2023-4528, a Java deserialization vulnerability in Redwood Software’s JSCAPE MFT secure managed file transfer product. Successful exploitation can run arbitrary Java code as the `root` on Linux or the `SYSTEM` user on Windows.
6 min
Vulnerability Disclosure
CVE-2023-35082 - MobileIron Core Unauthenticated API Access Vulnerability
Rapid7 discovered a new vulnerability that allows unauthenticated attackers to access the API in unsupported versions of MobileIron Core (11.2 and below).
5 min
Vulnerability Disclosure
CVE-2023-38205: Adobe ColdFusion Access Control Bypass [FIXED]
Rapid7 discovered that the initial patch for CVE-2023-29298 (Adobe ColdFusion access control bypass vulnerability) did not successfully remediate the issue.
7 min
Vulnerability Disclosure
CVE-2023-29298: Adobe ColdFusion Access Control Bypass
Rapid7 discovered an access control bypass vulnerability affecting Adobe ColdFusion that allows an attacker to access the administration endpoints.