Common Vulnerabilities and Exposures

We are committed to securing critical infrastructure and important products, to make a safer world for everyone

Disclaimer: Some information is redacted for safety, please contact us if you require specific details.

What are CVEs?

Common Vulnerabilities and Exposures (CVEs) are publicly disclosed security flaws in software and hardware systems. Each CVE represents a specific vulnerability that could potentially be exploited by malicious actors to compromise systems, data, and networks. The identification and disclosure of CVEs are crucial in the cybersecurity landscape, as they provide a standardised method for sharing information about vulnerabilities across the industry.

Ethical Disclosure

Our approach is designed to minimise risks while maximising digital safety. By proactively contacting companies and relevant authorities, we ensure that vulnerabilities are addressed directly and responsibly.

The Importance of CVEs

The importance of CVEs lies in their role in promoting transparency and awareness in cybersecurity. By informing the public and relevant authorities about existing vulnerabilities, CVEs help prevent undisclosed weaknesses from being exploited, which could lead to severe consequences for individuals, organisations, and critical infrastructure. The timely and responsible disclosure of these vulnerabilities allows for the development and deployment of patches and security measures to mitigate potential risks.

Our Approach

Our approach to uncovering vulnerabilities is multifaceted, combining cutting-edge technologies with expert human insights. By mimicking the methodologies of real-world hackers, we use a combination of drive-by scans and real-world techniques to actively seek out potential security weaknesses. Our strategy integrates manual testing with human intelligence and the advanced capabilities of AI, allowing us to identify and prioritise vulnerabilities that pose the highest risk of exploitation by malicious attackers.

Recognising its critical importance to modern society, we place a strong emphasis on mapping critical infrastructure systems and identifying vulnerabilities in systems exposed to the internet. Once discovered, we follow a strict ethical disclosure process, ensuring that these weaknesses are addressed promptly and securely.

Our Initiative and Commitment

At Samurai Security, we believe in a safer cybersecurity world, driven by honesty and integrity. We undertake the discovery of CVEs as a voluntary initiative, free of charge, because we are committed to making the digital world safer for everyone. Our team is dedicated to identifying vulnerabilities not for profit, but to uphold the highest standards of cybersecurity.

The CVEs listed below are discoveries we have made in the past, demonstrating our commitment to cybersecurity excellence and our proactive role in safeguarding digital environments.

Name of tester:

Momen

Severity:

Critical

Submission body:

Cybersecurity and Infrastructure Security Agency (CISA)

System type:

SCADA

CVE-2023-4485

CVSS v3 9.8

​Sistema SCADA Central, a supervisory control and data acquisition (SCADA) system, is designed to monitor and control various industrial processes and critical infrastructure. ARDEREG identified this SCADA system’s login page to be vulnerable to an unauthenticated blind SQL injection attack. An attacker could manipulate the application’s SQL query logic to extract sensitive information or perform unauthorized actions within the database. In this case, the vulnerability could allow an attacker to execute arbitrary SQL queries through the login page, potentially leading to unauthorized access, data leakage, or even disruption of critical industrial processes.

Name of tester:

Momen

Severity:

Critical

Submission body:

Cybersecurity and Infrastructure Security Agency (CISA)

System type:

SCADA

CVE-2023-1934

CVSS v3 9.8

The PnPSCADA system, a product of SDG Technologies CC, is afflicted by a critical unauthenticated error-based PostgreSQL Injection vulnerability. Present within the hitlogcsv.jsp endpoint, this security flaw permits unauthenticated attackers to engage with the underlying database seamlessly and passively. Consequently, malicious actors could gain access to vital information, such as Industrial Control System (ICS) and OT data, alongside other sensitive records like SMS and SMS Logs. The unauthorized database access exposes compromised systems to potential manipulation or breach of essential infrastructure data, highlighting the severity of this vulnerability.

Name of tester:

Momen

Severity:

Medium

Submission body:

Cybersecurity and Infrastructure Security Agency (CISA)

System type:

OT

CVE-2023-5885

CVSS v3 6.5

The discontinued FFS Colibri product allows a remote user to access files on the system including files containing login credentials for other users. Successful exploitation of this vulnerability could allow an attacker to obtain login credentials for other users.

Name of tester:

Momen

Severity:

High

Submission body:

Cybersecurity and Infrastructure Security Agency (CISA)

System type:

OT

CVE-2023-44037

CVSS v3 8.8

APsystems ENERGY COMMUNICATION UNIT (ECU-C) Power Control Software V4.1NA, V3.11.4, W2.1NA, V4.1SAA, C1.2.2 allows attackers to access sensitive data and execute specific commands and functions with full admin rights.

Get in touch

Let's find a solution

If you want to chat, give us a call: 0121 740 1304

Or, email us: [email protected]