Category Archives: Potential Risk of CVE

Cell Phone (iPhone, Android, windows mobile), IoT, Potential Risk of CVE

A quick look at branch predictor isolation in KVM-QEMU

Leave a comment

Preface: AMD SoCs can have KVM virtualization for embedded multicore systems, especially with ARM-based architectures, as KVM supports various architectures including ARM and has been adapted for embedded platforms. While KVM was initially designed for Intel and AMD x86 processors, its flexibility and portability allowed for ports to the ARM architecture, making it suitable for embedded multicore SoCs.

Ref: The AMD Zen5 branch predictor is a major update for the Zen family, featuring a new “two-ahead” design that allows it to predict up to two branches per clock cycle, a significant increase from the previous “one-ahead” limit.

Background: Any modern 64-bit AMD processor with AMD-V (SVM) virtualization support can utilize KVM-QEMU for virtualization, as KVM is integrated into the Linux kernel and requires only these hardware extensions for acceleration. To use KVM, you need to ensure AMD-V is enabled in your system’s firmware (BIOS/UEFI) and that your Linux distribution’s kernel and QEMU packages are installed and configured.

The branch predictor is a hardware component located within the processor that stores prediction data internally to improve performance by guessing the outcome of conditional branches.

It uses Branch History Buffers (BHT) and Branch Target Buffers (BTB) to keep track of past branch outcomes and the addresses of the branch targets, respectively, which are small, fast on-chip structures, not part of the main memory system.

Vulnerability details: Researchers from ETH Zurich discovered that incomplete isolation of the branch predictor state in AMD CPUs (Zen 1–5) allows a malicious guest VM to influence indirect branch prediction in the host, specifically in user-space components like QEMU.

The attack, named VMSCAPE, enables a guest VM to leak memory from the host QEMU process at a rate of 32 bytes/sec, including sensitive data like disk encryption keys.

Official announcement: For details, please refer to the link – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7046.html

AI and ML, Potential Risk of CVE

Point of view – NVIDIA’s NVDebug tool, about CVE-2025-23342 and CVE-2025-23343.  (12th Sep 2025)

Leave a comment

Preface: Debug logs may contain user IDs and passwords to provide diagnostic information for failed login attempts, authentication failures, or to trace user activity within an application, but this is a significant security risk and should be avoided. Security best practices dictate that sensitive information like passwords should never be logged in cleartext. Instead, logging should only include non-sensitive user identifiers to help with troubleshooting without exposing credentials

Background: NVIDIA’s NVDebug tool is part of the broader Nsight Systems tool suite and relies on the NVIDIA Data Center GPU Manager (DCGM) library, specifically utilizing it for data collection and diagnostics to assist in troubleshooting and monitoring NVIDIA GPUs.

  • NVDebug is a tool for debugging and profiling NVIDIA GPUs, particularly in data center environments.
  • DCGM is a library for managing and monitoring NVIDIA GPUs in clusters and data centers.

NVDebug uses the DCGM library to gather essential diagnostic data, logs, and health information from the GPUs, enabling detailed analysis of the system’s state and performance.

Vulnerability details:

CVE-2025-23342: The NVIDIA NVDebug tool contains a vulnerability that may allow an actor to gain access to a privileged account . A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure and data tampering.

CVE-2025-23343: The NVIDIA NVDebug tool contains a vulnerability that may allow an actor to write files to restricted components. A successful exploit of this vulnerability may lead to information disclosure, denial of service, and data tampering.

Official announcement: Please see the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5696

AI and ML, Potential Risk of CVE

The incorrect authorization described in CVE-2025-23256 may be triggered or facilitated by the underlying flaw CVE-2025-38456. (11th Sep 2025)

Leave a comment

Preface:

  • IPMI is a standardized interface for hardware management, operating via the Baseboard Management Controller (BMC).
  • It supports both in-band (local) and out-of-band (remote) access.
  • BlueField’s reliance on OpenIPMI and IPMItool makes it susceptible to kernel-level vulnerabilities.

Background: The Intelligent Platform Management Interface (IPMI) is a standard interface for hardware management used by system administrators to control the devices and monitor the sensors. For these, it is necessary the IPMI Controller called Baseboard Management Controller (BMC) and a manager software (for example, IPMItool). It provides an interface to manage IPMI functions in a local (in-band) or remote (out-of-band) system.

Vulnerability details:

This advisory explores a potential causal relationship between two recent vulnerabilities:

  • CVE-2025-23256 – A high-severity vulnerability in the NVIDIA BlueField DPU management interface, allowing local attackers to bypass authorization and modify configurations.

https://nvidia.custhelp.com/app/answers/detail/a_id/5655

  • CVE-2025-38456 – A moderate-severity vulnerability in the Linux IPMI subsystem, involving memory corruption due to mishandled pointers in ipmi_create_user().

https://nvd.nist.gov/vuln/detail/CVE-2025-38456

Recommendations

  1. Patch Kernel IPMI Subsystem: Ensure CVE-2025-38456 is mitigated in all systems running BlueField.
  2. Update BlueField Firmware: Apply NVIDIA’s latest firmware updates addressing CVE-2025-23256.
  3. Audit IPMI Access Controls: Review and restrict local access to /dev/ipmi0 and IPMItool.

Potential Risk of CVE, Under our observation

CVE-2025-9999: About TCP-based client/server Networking feature of PcVue. (9th Sep 2025)

Leave a comment

Preface: PcVue is a well-known and highly regarded SCADA solution, renowned for its innovation and user-friendliness, despite facing competition from larger, more dominant SCADA vendors. While not the most popular solution, PcVue’s strengths in user configuration, advanced HMI functionality, and integration capabilities have solidified its position in the market.

Background: Key Objectives of PcVue SCADA

Supervisory Control and Monitoring: To offer a centralized platform for operators to monitor and control complex industrial processes and large-scale infrastructure in real-time.

Data Acquisition and Analysis: To collect, process, and convert raw data into actionable information, providing operators with relevant alerts, reports, and historical data for informed decision-making.

Vulnerability details: Some payload elements of the messages sent between two stations in a networking architecture are not properly checked on the receiving station allowing an attacker to execute unauthorized commands in the application.

Official announcement: Please see the link for details

https://www.pcvue.com/security/#SB2025-4

How to Prevent This:

Input Validation: Never trust client input. Use strict schemas (e.g., JSON Schema).

  • Command Execution Hardening:
  • Avoid os.system() or shell execution.
  • Use safe APIs like subprocess.run() with argument lists.

Authentication & Authorization: Ensure only authorized users can send control commands.

Web Application Firewall (WAF): Detect and block suspicious payloads.

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2025-21484: About Qualcomm – Enhanced Validation of Array Index in Multi-Mode Call Processor (8th Sep 2025)

Leave a comment

Preface: PLMNs are public networks, while private networks (NPNs) serve specific users (such as enterprises). SNPNs (Standalone NPNs) are completely independent, dedicated networks that do not rely on the functionality of public PLMNs.

Background: “Qualcomm Multi-Mode Call Processor” is a component of their Modem-RF system, which is a comprehensive 5G module-RF system designed to provide multi-band, multi-mode connectivity for various devices. These integrated solutions combine the cellular modem, RF transceiver, and RF front-end components to enable 5G, 4G LTE, and legacy cellular network support in a single, cohesive platform.

Each PLMN is identified by a PLMN ID, which includes a country code and mobile network code. The UE uses this ID to distinguish between different PLMNs.

Vulnerability details:

Title – Improper Validation of Array Index in Multi-Mode Call Processor

Description – Memory corruption while selecting the PLMN from SOR failed list.

Vulnerability Type – CWE-129 Improper Validation of Array Index

Official announcement: Please refer to the link for details –

https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html

Best Practices
  • Always validate array indices before access.
  • Use safer memory functions or wrappers that include bounds checking.
  • Monitor heap usage and implement memory pressure handling routines.

AI and ML, Potential Risk of CVE

CVE-2025-23257 and CVE-2025-23258: About NVIDIA DOCA  (4th Sep 2025)

Leave a comment

Preface: An NVIDIA endless “collect-export” loop refers to the standard, continuous operation of the DOCA Telemetry Service (DTS), where telemetry data is perpetually collected and then exported. While high-frequency telemetry (HFT) offers an external, triggered alternative, the standard DTS flow is designed to run indefinitely, collecting data from the Sysfs provider and potentially exporting it via Prometheus or Fluent Bit.

Background: CUDA (Compute Unified Device Architecture) and DOCA (Data Center Infrastructure-on-a-Chip Architecture) are both NVIDIA SDKs, but they serve distinct purposes and target different hardware.

CUDA SDK: Primarily designed for general-purpose computing on NVIDIA GPUs. It enables developers to program accelerated computing applications by leveraging the parallel processing power of GPUs.

DOCA SDK: Built specifically for NVIDIA BlueField Data Processing Units (DPUs) and SuperNICs, aiming to accelerate data center infrastructure tasks. It enables offloading infrastructure-related workloads from the host CPU to the DPU.

DOCA Telemetry Service (DTS) is a DOCA Service for collecting and exporting telemetry data. It can run on hosts and BlueField, collecting data from built-in providers and external telemetry applications. The service supports various providers, including sysfs, ethtool, ifconfig, PPCC, DCGM, NVIDIA SMI, and more.

Ref: The binary data can be read using the /opt/mellanox/collectx/bin/clx_read app, packaged in collectx-clxapidev , a DOCA dependency package.

Vulnerability details:

CVE-2025-23257: NVIDIA DOCA contains a vulnerability in the collectx-clxapidev Debian package that could allow an actor with low privileges to escalate privileges. A successful exploit of this vulnerability might lead to escalation of privileges.

CVE-2025-23258: NVIDIA DOCA contains a vulnerability in the collectx-dpeserver Debian package for arm64 that could allow an attacker with low privileges to escalate privileges. A successful exploit of this vulnerability might lead to escalation of privileges.

Official announcement: Please see the link for details –

https://nvidia.custhelp.com/app/answers/detail/a_id/5655

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2025-9671 through CVE-2025-9675 are related to AndroidManifest[.]xml. Are they dangerous? (3rd Sep 2025)

Leave a comment

NVD Published Date: 08/29/2025

NVD Last Modified: 08/29/2025

Preface: If access to an exported Service is not restricted, any application may start and bind to the Service. Depending on the exposed functionality, this may allow a malicious application to perform unauthorized actions, gain access to sensitive information, or corrupt the internal state of the application.

Background: In the AndroidManifest.xml, components can declare the android:exported attribute. If this attribute is set to true (or implicitly true in older Android versions or without explicit declaration for components with intent filters), it allows other applications to launch or interact with that component. If this is not properly restricted, it can become a vulnerability.

Vulnerability details: See below –

CVE-2025-9671 (CVSS 5.3) UAB Paytend App (≤ 2.1.9)   

– Improper export of components via AndroidManifest.xml.

– Exploitable locally

– CWE-926

CVE-2025-9672 (CVSS 5.3)Rejseplanen App (≤ 8.2.2)

-Local attack exploiting exported components.     

-CWE-926

CVE-2025-9673 (CVSS 5.3) Kakao Hey Kakao App (≤ 2.17.4)

– Local manipulation of manifest leads to exposed components.

-CWE-926

CVE-2025-9674 (CVSS 5.3) Transbyte Scooper News App (≤ 1.2)

-Manifest misconfiguration allows component export.

-CWE-926

CVE-2025-9675 (CVSS 5.3) Voice Changer App (≤ 1.1.0)

-Local exploit due to improperly exported components.

-CWE-926

Official announcement: Please see the link for details

https://nvd.nist.gov/vuln/detail/CVE-2025-9671

https://nvd.nist.gov/vuln/detail/CVE-2025-9672

https://nvd.nist.gov/vuln/detail/CVE-2025-9673

https://nvd.nist.gov/vuln/detail/CVE-2025-9674

https://nvd.nist.gov/vuln/detail/CVE-2025-9675

Potential Risk of CVE

CVE-2025-6203: Vault Community Edition and Vault Enterprise , staying alert! (2nd Sep 2025)

Leave a comment

Published: 2025-08-28

Updated: 2025-08-28

Preface: Credentials stores are common, largely due to SAML. SAML’s effectiveness stems from centralizing authentication and authorization, allowing a single Identity Provider (IdP) to manage user credentials instead of each Service Provider (SP) storing them individually. This not only boosts security by reducing the attack surface but also streamlines the user experience by enabling Single Sign-On (SSO), where users log in once to access multiple applications.

Background: Organizations with strict security and operational requirements for production will typically use Vault Enterprise or the managed HashiCorp Cloud Platform (HCP). Vault Enterprise is a paid product for large organizations with advanced capabilities such as disaster recovery (DR), cross-datacenter replication, Sentinel policy enforcement, and namespaces for better tenant isolation and governance. Enterprise also provides dedicated support and features for complex, mission-critical environments with stringent compliance needs.

The community version effectively handles fundamental secrets management in CI/CD, but it lacks the advanced features that larger enterprises need for scalability, compliance, and reliability.

Vault Community Edition is a free, self-managed secret management tool offering core features for small-scale deployments.

Vulnerability details: A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resulting in the Vault server to become unresponsive. This vulnerability, CVE-2025-6203, is fixed in Vault Community Edition 1.20.3 and Vault Enterprise 1.20.3, 1.19.9, 1.18.14, and 1.16.25.

Official announcement: Please refer to the link for more details –

https://nvd.nist.gov/vuln/detail/CVE-2025-6203

Potential Risk of CVE

Gmail suffered a 2 million data breach – SSO situation sometimes ambush from all sides (1st Sep 2025)

Leave a comment

Quote: Google warns 2.5B Gmail users to update passwords after data breach of one of its databases – https://nypost.com/2025/08/27/business/google-warns-2-5-billion-gmail-users-to-update-passwords-after-hackers-complete-successful-intrusions/

Preface: More than 2.5 billion Gmail users could be at risk following a massive cyberattack that compromised a Google database managed through Salesforce’s cloud platform. The attack, which began in June 2025, relied on social engineering tactics. According to Google’s Threat Intelligence Group (GTIG), scammers impersonated IT staff during convincing phone calls and persuaded a Google employee to approve a malicious application connected to Salesforce. This gave attackers the ability to exfiltrate contact details, business names, and related notes. (Source: Trend Micro) – https://news.trendmicro.com/2025/08/26/google-data-breach-gmail/

Background: BeyondCorp® is a cybersecurity architecture developed at Google that shifts access control from the traditional network perimeter to individual devices and users. The goal is to enable users to securely work anytime, anywhere and on any device without having to use a virtual private network, or VPN, to access an organization’s resources.

Google uses OpenID Connect (OIDC) for its “Sign in with Google” functionality, as it is an OpenID Connect Provider that issues OIDC-formatted JSON Web Tokens (JWTs) to authenticate users and share identity information with client applications. This allows users to log into other websites and applications using their Google account, benefiting from a simplified and more secure single sign-on (SSO) experience.

OAuth 2.0 is an authorization framework, OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 to provide user authentication and identity information. OAuth 2.0 focuses on granting access to protected resources, while OIDC extends it to verify a user’s identity and share their profile information with third-party applications.

About the title: Please see the attached diagram.

Ref: Gmail utilizes a protocol called OpenID Connect (OIDC) for authentication, which is built on top of the OAuth 2.0 authorization framework. This protocol allows users to log in to various applications by authenticating with their Google Account without sharing their passwords directly, enabling both authentication (verifying identity) and authorization (granting access to specific data). For Gmail access, OAuth 2.0 is used for authorization, while OIDC provides the user authentication mechanism, returning an ID Token in addition to an access token for identity verification.

AI and ML, Potential Risk of CVE

CVE-2025-23307: NVIDIA NeMo Curator for all platforms contains a vulnerability (28th Aug 2025)

Leave a comment

Preface: NeMo Curator, part of the NVIDIA NeMo software suite for managing the AI agent lifecycle, is a Python library specifically designed for fast and scalable data processing and curation for generative AI use cases such as foundation language model pretraining, text-to-image model training, domain-adaptive pretraining (DAPT), supervised fine-tuning (SFT) and parameter-efficient fine-tuning (PEFT).

Background: To install the NeMo Curator library, run the following command:

  • git clone https://github[.]com/NVIDIA/NeMo-Curator[.]git
  • cd NeMo-Curator
  • pip install –extra-index-url https://pypi[.]nvidia[.]com “.[cuda12x]”

Data download: downloading pipeline in NeMo Curator consists of the following classes:

  • DocumentDownloader: Abstract class for downloading remote data to disk.
  • DocumentIterator: Abstract class for reading dataset raw records from the disk.
  • DocumentExtractor: Abstract class for extracting text records, as well as any relevant metadata from the records on the disk.

Vulnerability details: NVIDIA NeMo Curator for all platforms contains a vulnerability where a malicious file created by an attacker could allow code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.

Ref: The vulnerability arises when malicious files—such as JSONL files—are loaded by NeMo Curator. If these files are crafted to exploit weaknesses in how NeMo Curator parses or processes them, they can inject executable code. This aligns with your description of:

  • Embedded malicious payloads in JSONL files.
  • JSON injection attacks exploiting parsing logic.

Official announcement: Please see the link for details –

https://nvidia.custhelp.com/app/answers/detail/a_id/5690