Search

Find a vulnerability

Search criteria

    7 vulnerabilities

    CVE-2026-8153 (GCVE-0-2026-8153)

    Vulnerability from cvelistv5 – Published: 2026-05-08 11:45 – Updated: 2026-05-11 09:27
    VLAI
    Title
    Command injection in Dashboard Server interface
    Summary
    OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.25.1 allows unauthenticated attacker to craft commands that will execute code on the robot's OS.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    TRO
    Impacted products
    Vendor Product Version
    Universal Robots PolyScope 5 Affected: 0 , < 5.25.1 (semver)
    Create a notification for this product.
    Credits
    Vera Mens of Claroty Team82
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8153",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-08T12:46:58.925917Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-08T12:47:12.421Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "PolyScope 5",
              "vendor": "Universal Robots",
              "versions": [
                {
                  "lessThan": "5.25.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Only applicable if Dashboard Server interface is active"
                }
              ],
              "value": "Only applicable if Dashboard Server interface is active"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Vera Mens of Claroty Team82"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to\u0026nbsp;5.25.1\u0026nbsp;allows unauthenticated attacker to\u0026nbsp;craft commands that will execute code on the robot\u0027s OS."
                }
              ],
              "value": "OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to\u00a05.25.1\u00a0allows unauthenticated attacker to\u00a0craft commands that will execute code on the robot\u0027s OS."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-88",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-88 OS Command Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T09:27:08.778Z",
            "orgId": "1b7e193f-2525-49a1-b171-84af8827c9eb",
            "shortName": "TRO"
          },
          "references": [
            {
              "url": "https://www.universal-robots.com/developer/communication-protocol/dashboard-server/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to version\u0026nbsp;5.25.1\u0026nbsp;or later, or disable Dashboard Server interface"
                }
              ],
              "value": "Update to version\u00a05.25.1\u00a0or later, or disable Dashboard Server interface"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Command injection in Dashboard Server interface",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1b7e193f-2525-49a1-b171-84af8827c9eb",
        "assignerShortName": "TRO",
        "cveId": "CVE-2026-8153",
        "datePublished": "2026-05-08T11:45:18.462Z",
        "dateReserved": "2026-05-08T08:20:00.514Z",
        "dateUpdated": "2026-05-11T09:27:08.778Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-13819 (GCVE-0-2025-13819)

    Vulnerability from cvelistv5 – Published: 2025-12-01 09:41 – Updated: 2025-12-01 14:04
    VLAI
    Title
    Open redirect in web server of MiR robots and MiR fleet
    Summary
    Open redirect in the web server component of MiR Robot and Fleet software allows a remote attacker to redirect users to arbitrary external websites via a crafted parameter, facilitating phishing or social engineering attacks.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    TRO
    Impacted products
    Vendor Product Version
    MiR Robot Affected: 0 , < 3.7.0 (semver)
    Create a notification for this product.
    MiR Fleet Affected: 0 , < 3.7.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-13819",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-01T14:04:47.236996Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-01T14:04:56.013Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Robot",
              "vendor": "MiR",
              "versions": [
                {
                  "lessThan": "3.7.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Fleet",
              "vendor": "MiR",
              "versions": [
                {
                  "lessThan": "3.7.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOpen redirect in the web server component of MiR Robot and Fleet software allows a remote attacker to redirect users to arbitrary external websites via a crafted \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eparameter, facilitating phishing or social engineering attacks.\u003c/span\u003e"
                }
              ],
              "value": "Open redirect in the web server component of MiR Robot and Fleet software allows a remote attacker to redirect users to arbitrary external websites via a crafted parameter, facilitating phishing or social engineering attacks."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-01T09:41:08.376Z",
            "orgId": "1b7e193f-2525-49a1-b171-84af8827c9eb",
            "shortName": "TRO"
          },
          "references": [
            {
              "url": "https://mobile-industrial-robots.com/security-advisories/cve-2025-13819-open-redirect"
            },
            {
              "url": "https://supportportal.mobile-industrial-robots.com/documentation/mir-cybersecurity-guide/mir-cybersecurity-guide/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Open redirect in web server of MiR robots and MiR fleet",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1b7e193f-2525-49a1-b171-84af8827c9eb",
        "assignerShortName": "TRO",
        "cveId": "CVE-2025-13819",
        "datePublished": "2025-12-01T09:41:08.376Z",
        "dateReserved": "2025-12-01T08:28:24.452Z",
        "dateUpdated": "2025-12-01T14:04:56.013Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-9229 (GCVE-0-2025-9229)

    Vulnerability from cvelistv5 – Published: 2025-08-20 08:36 – Updated: 2025-11-05 12:09
    VLAI
    Title
    Information Disclosure in MiR robots and MiR fleet through verbose error pages
    Summary
    Information disclosure vulnerability in error handling in MiR software prior to version 3.0.0 allows unauthenticated attackers to view detailed error information, such as file paths and other data, via access to verbose error pages.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-209 - Generation of Error Message Containing Sensitive Information
    Assigner
    TRO
    Impacted products
    Credits
    Lockheed Martin Red Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-9229",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-20T15:22:09.195431Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-20T15:22:18.229Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "MiR Robots",
              "vendor": "Mobile Industrial Robots",
              "versions": [
                {
                  "lessThan": "3.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "MiR Fleet",
              "vendor": "Mobile Industrial Robots",
              "versions": [
                {
                  "lessThan": "3.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Lockheed Martin Red Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Information disclosure vulnerability in error handling in MiR software prior to version 3.0.0 allows unauthenticated attackers to view detailed error information, such as file paths and other data, via access to verbose error pages."
                }
              ],
              "value": "Information disclosure vulnerability in error handling in MiR software prior to version 3.0.0 allows unauthenticated attackers to view detailed error information, such as file paths and other data, via access to verbose error pages."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-212",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-212 Functionality Misuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-209",
                  "description": "CWE-209 Generation of Error Message Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-05T12:09:23.900Z",
            "orgId": "1b7e193f-2525-49a1-b171-84af8827c9eb",
            "shortName": "TRO"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mobile-industrial-robots.com/security-advisories/information-disclosure"
            },
            {
              "url": "https://supportportal.mobile-industrial-robots.com/documentation/mir-cybersecurity-guide/mir-cybersecurity-guide/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to the newest software version, at least version 3.0.0\n\n\n\u003cbr\u003e"
                }
              ],
              "value": "Update to the newest software version, at least version 3.0.0"
            }
          ],
          "source": {
            "advisory": "MSA-17",
            "discovery": "EXTERNAL"
          },
          "title": "Information Disclosure in MiR robots and MiR fleet through verbose error pages",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eIf you cannot immediately update to the recommended version, we recommend the following compensating \nmeasures:\u003c/div\u003e\u003cdiv\u003e1. Operate the MiR system in a segmented and secured network with strict firewall rules\u003c/div\u003e\u003cdiv\u003e2. Secure user accounts on the MiR system as recommended in the MiR Cybersecurity Guide\n\n\n\u003c/div\u003e"
                }
              ],
              "value": "If you cannot immediately update to the recommended version, we recommend the following compensating \nmeasures:\n\n1. Operate the MiR system in a segmented and secured network with strict firewall rules\n\n2. Secure user accounts on the MiR system as recommended in the MiR Cybersecurity Guide"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1b7e193f-2525-49a1-b171-84af8827c9eb",
        "assignerShortName": "TRO",
        "cveId": "CVE-2025-9229",
        "datePublished": "2025-08-20T08:36:57.846Z",
        "dateReserved": "2025-08-20T08:29:15.175Z",
        "dateUpdated": "2025-11-05T12:09:23.900Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-9228 (GCVE-0-2025-9228)

    Vulnerability from cvelistv5 – Published: 2025-08-20 08:24 – Updated: 2025-11-05 12:08
    VLAI
    Title
    Insufficient authorization when creating notes
    Summary
    MiR software versions prior to version 3.0.0 have insufficient authorization controls when creating text notes, allowing low-privilege users to create notes which are intended only for administrative users.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    TRO
    Impacted products
    Credits
    Lockheed Martin Red Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-9228",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-20T15:23:30.523444Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-20T15:23:37.679Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "MiR Robots",
              "vendor": "Mobile Industrial Robots",
              "versions": [
                {
                  "lessThan": "3.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "MiR Fleet",
              "vendor": "Mobile Industrial Robots",
              "versions": [
                {
                  "lessThan": "3.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Lockheed Martin Red Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "MiR software versions prior to version 3.0.0 have insufficient authorization controls when creating text notes, \nallowing low-privilege users to create notes which are intended only for administrative users."
                }
              ],
              "value": "MiR software versions prior to version 3.0.0 have insufficient authorization controls when creating text notes, \nallowing low-privilege users to create notes which are intended only for administrative users."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-05T12:08:35.758Z",
            "orgId": "1b7e193f-2525-49a1-b171-84af8827c9eb",
            "shortName": "TRO"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mobile-industrial-robots.com/security-advisories/insufficient-authorization-when-creating-notes"
            },
            {
              "url": "https://supportportal.mobile-industrial-robots.com/documentation/mir-cybersecurity-guide/mir-cybersecurity-guide/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to the newest software version, at least version 3.0.0\n\n\n\u003cbr\u003e"
                }
              ],
              "value": "Update to the newest software version, at least version 3.0.0"
            }
          ],
          "source": {
            "advisory": "MSA-15",
            "discovery": "EXTERNAL"
          },
          "title": "Insufficient authorization when creating notes",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eIf you cannot immediately update to the recommended version, we recommend the following compensating \nmeasures:\u003c/div\u003e\u003cdiv\u003e1. Operate the MiR system in a segmented and secured network with strict firewall rules\u003c/div\u003e\u003cdiv\u003e2. Secure user accounts on the MiR system as recommended in the MiR Cybersecurity Guide\n\n\u003c/div\u003e"
                }
              ],
              "value": "If you cannot immediately update to the recommended version, we recommend the following compensating \nmeasures:\n\n1. Operate the MiR system in a segmented and secured network with strict firewall rules\n\n2. Secure user accounts on the MiR system as recommended in the MiR Cybersecurity Guide"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1b7e193f-2525-49a1-b171-84af8827c9eb",
        "assignerShortName": "TRO",
        "cveId": "CVE-2025-9228",
        "datePublished": "2025-08-20T08:24:33.175Z",
        "dateReserved": "2025-08-20T08:15:31.511Z",
        "dateUpdated": "2025-11-05T12:08:35.758Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-9225 (GCVE-0-2025-9225)

    Vulnerability from cvelistv5 – Published: 2025-08-20 07:26 – Updated: 2025-11-05 12:07
    VLAI
    Title
    Cross-site scripting (XSS) in MiR robots and MiR fleet
    Summary
    Stored cross-site scripting (XSS) in the web interface of MiR software versions prior to 3.0.0 on MiR Robots and MiR Fleet allows execution of arbitrary JavaScript code in a victim’s browser
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    TRO
    Impacted products
    Credits
    Lockheed Martin Red Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-9225",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-20T17:21:20.367826Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-20T17:27:46.640Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "MiR Robots",
              "vendor": "Mobile Industrial Robots",
              "versions": [
                {
                  "lessThan": "3.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "MiR Fleet",
              "vendor": "Mobile Industrial Robots",
              "versions": [
                {
                  "lessThan": "3.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Lockheed Martin Red Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Stored cross-site scripting (XSS) in the web interface of MiR software versions prior to 3.0.0 on MiR Robots and MiR Fleet allows execution of arbitrary JavaScript code in a victim\u2019s browser"
                }
              ],
              "value": "Stored cross-site scripting (XSS) in the web interface of MiR software versions prior to 3.0.0 on MiR Robots and MiR Fleet allows execution of arbitrary JavaScript code in a victim\u2019s browser"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-05T12:07:24.766Z",
            "orgId": "1b7e193f-2525-49a1-b171-84af8827c9eb",
            "shortName": "TRO"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mobile-industrial-robots.com/security-advisories/cross-site-scripting"
            },
            {
              "url": "https://supportportal.mobile-industrial-robots.com/documentation/mir-cybersecurity-guide/mir-cybersecurity-guide/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to the newest software version, at least version 3.0.0"
                }
              ],
              "value": "Update to the newest software version, at least version 3.0.0"
            }
          ],
          "source": {
            "advisory": "MSA-14",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site scripting (XSS) in MiR robots and MiR fleet",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "If you cannot immediately update to the recommended version, we recommend the following compensating \nmeasures:\n1. Operate the MiR system in a segmented and secured network with strict firewall rules\n2. Secure user accounts on the MiR system as recommended in the MiR Cybersecurity Guide."
                }
              ],
              "value": "If you cannot immediately update to the recommended version, we recommend the following compensating \nmeasures:\n1. Operate the MiR system in a segmented and secured network with strict firewall rules\n2. Secure user accounts on the MiR system as recommended in the MiR Cybersecurity Guide."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1b7e193f-2525-49a1-b171-84af8827c9eb",
        "assignerShortName": "TRO",
        "cveId": "CVE-2025-9225",
        "datePublished": "2025-08-20T07:26:01.629Z",
        "dateReserved": "2025-08-20T07:11:04.843Z",
        "dateUpdated": "2025-11-05T12:07:24.766Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-8749 (GCVE-0-2025-8749)

    Vulnerability from cvelistv5 – Published: 2025-08-08 11:46 – Updated: 2025-11-05 12:06
    VLAI
    Title
    Path traversal vulnerability in MiR robot software via API requests
    Summary
    Path Traversal vulnerability in API Endpoint in Mobile Industrial Robots (MiR) Software Versions prior to 3.0.0 on MiR Robots allows authenticated users to extract files from the robot file system via a crafted API request.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    TRO
    Impacted products
    Vendor Product Version
    Mobile Industrial Robots MiR Robots Affected: 0 , < 3.0.0 (semver)
    Create a notification for this product.
    Credits
    Lockheed Martin Red Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-8749",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-08T14:52:59.034570Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-08T14:53:05.796Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "MiR Robots",
              "vendor": "Mobile Industrial Robots",
              "versions": [
                {
                  "lessThan": "3.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Lockheed Martin Red Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Path Traversal vulnerability in API Endpoint in Mobile Industrial Robots (MiR) Software Versions prior to 3.0.0 on MiR Robots allows authenticated users to extract files from the robot file system via a crafted API request."
                }
              ],
              "value": "Path Traversal vulnerability in API Endpoint in Mobile Industrial Robots (MiR) Software Versions prior to 3.0.0 on MiR Robots allows authenticated users to extract files from the robot file system via a crafted API request."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126 Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-05T12:06:17.424Z",
            "orgId": "1b7e193f-2525-49a1-b171-84af8827c9eb",
            "shortName": "TRO"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mobile-industrial-robots.com/security-advisories/path-traversal"
            },
            {
              "url": "https://supportportal.mobile-industrial-robots.com/documentation/mir-cybersecurity-guide/mir-cybersecurity-guide/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Upgrade to software version 3.0.0 or newer"
                }
              ],
              "value": "Upgrade to software version 3.0.0 or newer"
            }
          ],
          "source": {
            "advisory": "MSA-13",
            "discovery": "UNKNOWN"
          },
          "title": "Path traversal vulnerability in MiR robot software via API requests",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1b7e193f-2525-49a1-b171-84af8827c9eb",
        "assignerShortName": "TRO",
        "cveId": "CVE-2025-8749",
        "datePublished": "2025-08-08T11:46:16.957Z",
        "dateReserved": "2025-08-08T11:22:17.262Z",
        "dateUpdated": "2025-11-05T12:06:17.424Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-8748 (GCVE-0-2025-8748)

    Vulnerability from cvelistv5 – Published: 2025-08-08 11:09 – Updated: 2025-11-05 12:02
    VLAI
    Title
    OS command injection in MiR robots and MiR fleet via crafted HTTP requests
    Summary
    MiR software versions prior to version 3.0.0 are affected by a command injection vulnerability. A malicious HTTP request crafted by an authenticated user could allow the execution of arbitrary commands on the underlying operating system.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    TRO
    Impacted products
    Credits
    Lockheed Martin Red Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-8748",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-08T15:36:32.308408Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-08T15:36:48.048Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "MiR Robots",
              "vendor": "Mobile Industrial Robots",
              "versions": [
                {
                  "lessThan": "3.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "MiR Fleet",
              "vendor": "Mobile Industrial Robots",
              "versions": [
                {
                  "lessThan": "3.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Lockheed Martin Red Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eMiR software versions prior to version 3.0.0 are affected by a command injection vulnerability. A malicious \nHTTP request crafted by an authenticated user could allow the execution of arbitrary commands on the \nunderlying operating system.\u003c/div\u003e"
                }
              ],
              "value": "MiR software versions prior to version 3.0.0 are affected by a command injection vulnerability. A malicious \nHTTP request crafted by an authenticated user could allow the execution of arbitrary commands on the \nunderlying operating system."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-88",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-88 OS Command Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-05T12:02:30.747Z",
            "orgId": "1b7e193f-2525-49a1-b171-84af8827c9eb",
            "shortName": "TRO"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mobile-industrial-robots.com/security-advisories/command-injection"
            },
            {
              "url": "https://supportportal.mobile-industrial-robots.com/documentation/mir-cybersecurity-guide/mir-cybersecurity-guide/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to the newest software version, at least version 3.0.0\n\n\u003cbr\u003e"
                }
              ],
              "value": "Update to the newest software version, at least version 3.0.0"
            }
          ],
          "source": {
            "advisory": "MSA-16",
            "discovery": "UNKNOWN"
          },
          "title": "OS command injection in MiR robots and MiR fleet via crafted HTTP requests",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1b7e193f-2525-49a1-b171-84af8827c9eb",
        "assignerShortName": "TRO",
        "cveId": "CVE-2025-8748",
        "datePublished": "2025-08-08T11:09:17.348Z",
        "dateReserved": "2025-08-08T11:07:37.364Z",
        "dateUpdated": "2025-11-05T12:02:30.747Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }