TRUMPF: Multiple products affected by log4net vulnerability

The versions of TRUMPF products stated below are including a version of log4net that’s prone to XXE (External XML Entities) attacks under certain circumstances. This means, the log4net code can be tricked into loading externally hosted, potentially malicious XML code and possibly executing it. This vulnerability allows for the execution of remote XML code, possibly resulting in unauthorized (remote) access to, change of data or disruption of the whole system running the vulnerable application.


CVE-2018-1285: 9.8

WAGO: Year 2038 problem

The Year 2038 Problem affects systems using a 32-bit integer to represent time as the number of seconds since January 1, 1970. On January 19, 2038, at 03:14:07 UTC, the time value will exceed the maximum for a 32-bit integer, causing an overflow and resetting it to a negative number.


CVE-2025-0101: 6.5

ads-tec Industrial IT: Mosquitto MQTT Client Vulnerability in ADS-TEC IRF Products

The ADS-TEC firewall products IRF1000, IRF2000, and IRF3000 include Eclipse Mosquitto, affected by multiple vulnerabilities. Exploitation requires a compromised upstream MQTT broker, limiting direct device exposure.


CVE-2024-10525: 9.8
CVE-2024-8376: 7.5
CVE-2024-3935: 6.5

MB connect line: Vulnerabilities in mbCONNECT24 and mymbCONNECT24

The data24 service that is bundled with every installation of mbCONNECT24/mymbCONNECT24 has two serious flaws in core components. These combined can lead to a complete loss of confidentiality, integrity and availability.


CVE-2024-23943: 9.1
CVE-2024-23942: 7.1

Helmholz: Vulnerabilities in myREX24 and myREX24.virtual

The data24 service that is bundled with every installation of myREX24/myREX24.virtual has two serious flaws in core components. These combined can lead to a complete loss of confidentiality, integrity and availability.


CVE-2024-23943: 9.1
CVE-2024-23942: 7.1

CODESYS (Edge) Gateway for Windows insecure default

The CODESYS Gateway enables communication between CODESYS runtimes and other clients, primarily the CODESYS Development System V3. It is usually installed as a part of the CODESYS Development System V3 setup and accessed locally by the CODESYS Development System. Due to an insecure standard configuration of the CODESYS Gateway, it is not only accessible locally, but also remotely by default.


CVE-2024-41975: 5.3

CODESYS Control V3 - OPC UA Server Authentication bypass

The OPC UA security policy Basic128Rsa15 is vulnerable against attacks on the private key. This can lead to loss of confidentiality or authentication bypass. The CODESYS OPC UA server is not affected in the default configuration. However, the affected policy may be enabled by a customer configuration.


CVE-2025-1468: 7.5

CODESYS Control V3 removable media path traversal

A low privileged attacker with physical access to a controller, that supports removable media and is running a CODESYS Control runtime system, can exploit the insufficient path validation by connecting removable media with a file system supporting symbolic links. This could allow the attacker to bypass SysFile restrictions and gain unauthorized access to the entire file system.

Update A: Removed version 4.16.0.0 as 4.15.0.0 version includes the fixes.


CVE-2025-0694: 6.6

Feeds

By Vendor

Archive

2025
2024
2023
2022
2021
2020
2019
2018
2017

Legend

(Scoring for CVSS 2.0,3.0+3.1)
None
No CVE available
Low
0.1 <= 3.9
Medium
4.0 <= 6.9
High
7.0 <= 8.9
Critical
9.0 <= 10.0