Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-14988

Summary
Assigner-icscert
Assigner Org ID-7d14cffa-0d7d-4270-9dc0-52cabd5a23a6
Published At-27 Jan, 2026 | 20:08
Updated At-27 Jan, 2026 | 20:51
Rejected At-
Credits

Incorrect Permission Assignment for Critical Resource vulnerability in iba Systems ibaPDA

A security issue has been identified in ibaPDA that could allow unauthorized actions on the file system under certain conditions. This may impact the confidentiality, integrity, or availability of the system.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:icscert
Assigner Org ID:7d14cffa-0d7d-4270-9dc0-52cabd5a23a6
Published At:27 Jan, 2026 | 20:08
Updated At:27 Jan, 2026 | 20:51
Rejected At:
▼CVE Numbering Authority (CNA)
Incorrect Permission Assignment for Critical Resource vulnerability in iba Systems ibaPDA

A security issue has been identified in ibaPDA that could allow unauthorized actions on the file system under certain conditions. This may impact the confidentiality, integrity, or availability of the system.

Affected Products
Vendor
iba Systems
Product
ibaPDA
Default Status
unaffected
Versions
Affected
  • 8.12.0
Problem Types
TypeCWE IDDescription
CWECWE-732CWE-732 Incorrect Permission Assignment for Critical Resource
Type: CWE
CWE ID: CWE-732
Description: CWE-732 Incorrect Permission Assignment for Critical Resource
Metrics
VersionBase scoreBase severityVector
4.010.0CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Version: 4.0
Base score: 10.0
Base severity: CRITICAL
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

iba Systems recommends users update to ibaPDA v8.12.1 or a later version. If Installing the update is not possible, iba Systems recommends users: * Enable User Management: To activate user management, navigate to User Management settings under the Configure option. Set a password for the admin user to enable user management. Configure Server Access: To configure, open Server Access Manager (found under Configure in the ibaPDA Client). Set the configuration to restrict access. For example, only 127.0.0.1 (localhost) or specific system IP addresses to communicate with ibaPDA can connect to the ibaPDA Server. (In this example, only connections from localhost are permitted to access ibaPDA.) Restrict Connections to Localhost (if ibaPDA is only accessed from the system where it runs): * Go to I/O Manager, then General, and deactivate the option “Automatically open necessary ports in Windows Firewall.” (If this option remains active, after a restart of ibaPDA or a restart for data acquisition, the firewall will be reconfigured automatically.) * Then, go to Advanced Windows Firewall settings and delete or deactivate all incoming rules for the ibaPDA Client and Server. * Manually create firewall rules for the connection used for ibaPDA and verify that the correct ports are configured. For assistance with identifying the ports used by the ibaPDA service can be found in the iba Help Center. * Note: After making the changes, verify that all ibaPDA services are operating as expected and that the data acquisition is functioning correctly.

Configurations
Workarounds
Exploits
Credits
finder
Siemens reported this vulnerability to CISA.
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-01
government-resource
Hyperlink: https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-01
Resource:
government-resource
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:ics-cert@hq.dhs.gov
Published At:27 Jan, 2026 | 20:16
Updated At:29 Jan, 2026 | 16:31

A security issue has been identified in ibaPDA that could allow unauthorized actions on the file system under certain conditions. This may impact the confidentiality, integrity, or availability of the system.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.010.0CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 4.0
Base score: 10.0
Base severity: CRITICAL
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-732Primaryics-cert@hq.dhs.gov
CWE ID: CWE-732
Type: Primary
Source: ics-cert@hq.dhs.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-01ics-cert@hq.dhs.gov
N/A
Hyperlink: https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-01
Source: ics-cert@hq.dhs.gov
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

3Records found
CVE-2025-69426
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-10||CRITICAL
EPSS-0.06% / 18.23%
||
7 Day CHG+0.01%
Published-09 Jan, 2026 | 16:15
Updated-13 Jan, 2026 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ruckus vRIoT IoT Controller < 3.0.0.0 Hardcoded SSH Credentials RCE

The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the configuration disables SCP and pseudo-TTY allocation, an attacker can authenticate using the hardcoded credentials and establish SSH local port forwarding to access the Docker socket. By mounting the host filesystem via Docker, an attacker can escape the container and execute arbitrary OS commands as root on the underlying vRIoT controller, resulting in complete system compromise.

Action-Not Available
Vendor-RUCKUS Networks
Product-vRIoT IOT Controller
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2014-125121
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-10||CRITICAL
EPSS-40.77% / 97.27%
||
7 Day CHG~0.00%
Published-31 Jul, 2025 | 14:52
Updated-21 Nov, 2025 | 01:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Array Networks vAPV and vxAG Default Credential Privilege Escalation

Array Networks vAPV (version 8.3.2.17) and vxAG (version 9.2.0.34) appliances are affected by a privilege escalation vulnerability caused by a combination of hardcoded SSH credentials (or SSH private key) and insecure permissions on a startup script. The devices ship with a default SSH login or a hardcoded DSA private key, allowing an attacker to authenticate remotely with limited privileges. Once authenticated, an attacker can overwrite the world-writable /ca/bin/monitor.sh script with arbitrary commands. Since this script is executed with elevated privileges through the backend binary, enabling the debug monitor via backend -c "debug monitor on" triggers execution of the attacker's payload as root. This allows full system compromise.

Action-Not Available
Vendor-Array Networks
Product-vxAGvAPV
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2025-12004
Matching Score-4
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-4
Assigner-The Wikimedia Foundation
CVSS Score-10||CRITICAL
EPSS-0.06% / 19.09%
||
7 Day CHG~0.00%
Published-21 Oct, 2025 | 06:20
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
The compare API module breaks Extension:Lockdown

Incorrect Permission Assignment for Critical Resource vulnerability in The Wikimedia Foundation Mediawiki - Lockdown Extension allows Privilege Abuse. Fixed in Mediawiki Core Action APIThis issue affects Mediawiki - Lockdown Extension: from master before 1.42.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - Lockdown Extension
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
Details not found