Threatscape

All the following vulnerabilities were discovered either by Positive Research experts or by automated security products from Positive Technologies, including MaxPatrol and PT Application Inspector.

Medium (5,3) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

PT-2021-15: Denial of Service when Processing File with Incorrect Header Content in FX5U(C) CPU and FX5UJ CPU modules

Fix date:	no patches available
Vector:	Remote
Systems affected:	FX5U(C) CPU and FX5UJ CPU modules
Vendor:	Mitsubishi Electric

High (8,6) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

PT-2021-14: Integer Overflow Resulting in Reading and Writing Outside Memory Range Allocated to Device

Fix date:	no patches available
Vector:	Remote
Systems affected:	FX5U(C) CPU and FX5UJ CPU modules
Vendor:	Mitsubishi Electric

Medium (6,8) CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

PT-2021-13: Access to sensitive PLC information in FX5U(C) CPU and FX5UJ CPU modules

Fix date:	no patches available
Vector:	Remote
Systems affected:	FX5U(C) CPU and FX5UJ CPU modules
Vendor:	Mitsubishi Electric

Medium (5,9) CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

PT-2021-12: Authentication pypass by capture-replay in FX5U(C) CPU and FX5UJ CPU modules

Fix date:	no patches available
Vector:	Remote
Systems affected:	FX5U(C) CPU and FX5UJ CPU modules
Vendor:	Mitsubishi Electric

High (7,4) CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

PT-2021-11: Possibility to access file 00000001.SYP with file password mechanism enabled in the FX5U(C) CPU and FX5UJ CPU modules

Fix date:	no patches available
Vector:	Remote
Systems affected:	FX5U(C) CPU and FX5UJ CPU modules
Vendor:	Mitsubishi Electric

High (7,4) CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

PT-2021-10: Possibility of authorization in the file password mechanism using the password hash value in the FX5U(C) CPU and FX5UJ CPU modules

Fix date:	no patches available
Vector:	Remote
Systems affected:	FX5U(C) CPU and FX5UJ CPU modules
Vendor:	Mitsubishi Electric

Medium (5,9) CVSS: 3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

PT-2021-09: Possibility of authorization in Remote Password mechanism using password hash

Fix date:	no patches available
Vector:	Remote
Systems affected:	FX5U(C) CPU and FX5UJ CPU modules
Vendor:	Mitsubishi Electric

Medium (5,9) CVSS: 3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

PT-2021-08: Possibility of authorization in Remote Password mechanism using password hash in FX5U(C) CPU and FX5UJ CPU modules

Fix date:	no patches available
Vector:	Remote
Systems affected:	FX5U(C) CPU and FX5UJ CPU modules
Vendor:	Mitsubishi Electric

Medium (5.3) CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

PT-2021-07: GPay payments above NoCVM limits, CryptoATC out of order

Fix date:	no patches available
Vector:	Local
Systems affected:	MasterCard Tokenisation Service (MDES)
Vendor:	MasterCard
Notification status:	October, 2021- Vendor notification date

Medium (4.9) CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

PT-2021-06: Lack of integrity checks of the MCC field

Fix date:	no patches available
Vector:	Remote
Systems affected:	Visa Tokenisation Service (VTS) MasterCard Tokenisation Service (MDES)
Vendor:	EMVCo, Visa, MasterCard
Notification status:	October, 2021- Vendor notification date

Medium (4.1) CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N

PT-2021-05: Lack of Amount/CVMResults fields checking for Public Transport Schemes

Fix date:	no patches available
Vector:	Local
Systems affected:	Visa Tokenisation Service (VTS) MasterCard Tokenisation Service (MDES)
Vendor:	EMVCo
Notification status:	October, 2021- Vendor notification date

Medium (4.9) CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

PT-2021-04: AAC/ARQC cryptogram confusion

Fix date:	no patches available
Vector:	Remote
Systems affected:	Visa Tokenisation Service (VTS) MasterCard Tokenisation Service (MDES)
Vendor:	Visa Inc, MasterCard Inc.
Notification status:	October, 2021- Vendor notification date

Medium (5.3) CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

PT-2021-03: Apple Pay authentication and fields validation issues

Fix date:	no patches available
Vector:	Local
Systems affected:	iOS/iPhone
Vendor:	Apple Inc
Notification status:	October, 2021- Vendor notification date

High (6.8) CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

PT-2021-02: Encryption bypass when downloading a firmware update in Diebold-Nixdorf RM3/CRS

Fix date:	no patches available
Vector:	Local
Systems affected:	RM3/CRS dispenser firmware (all versions up to and including 41128 1002 RM3_CRS.BTR + 170329 2332 RM3_CRS.FRM)
Vendor:	Diebold-Nixdorf
Notification status:	July, 2018 - Vendor notification date

High (6.8) CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

PT-2021-01: Encryption bypass when downloading a firmware update in Diebold-Nixdorf CMDv5

Fix date:	no patches available
Vector:	Local
Systems affected:	CMDv5 dispenser firmware (all versions up to and including 141128 1002 CD5_ATM.BTR + 170329 2332 CD5_ATM.FRM)
Vendor:	Diebold-Nixdorf
Notification status:	July, 2018 - Vendor notification date

High (7,5) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

PT-2020-31: Denial of service in F5 Traffic Management Microkernel (TMM)

Fix date:	December 17, 2020
Vector:	Remote
Systems affected:	Traffic Management Microkernel (TMM)
Vendor:	F5 Networks
Notification status:	April 30, 2020 - Vendor notification date December 17, 2020 - Security advisory publication date

High (9,8) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

PT-2020-30: Multiple code execution in Cisco Integrated Management Controller (CIMC)

Fix date:	November 18, 2020
Vector:	Remote
Systems affected:	Cisco Integrated Management Controller (CIMC)
Vendor:	Cisco
Notification status:	April 11, 2020 - Vendor notification date November 18, 2020 - Security advisory publication date

High (9,4) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

PT-2020-29: Denial of service and potential arbitrary code execution in SonicOS

Fix date:	October 12, 2020
Vector:	Remote
Systems affected:	SonicOS SonicOSv
Vendor:	SonicWall
Notification status:	June 26, 2020 - Vendor notification date October 12, 2020 - Security advisory publication date

High (7.6) CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

PT-2020-28: Undocumented physical access to the system (SBI bootloader memory write)

Fix date:	August 1, 2020
Vector:	Local
Systems affected:	All
Vendor:	Verifone
Notification status:	October 1, 2019 - Vendor notification date August 1, 2020 - Security advisory publication date

High (7.3) CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H

PT-2020-27: Undocumented physical access mode (VerixV shell.out)

Fix date:	August 1, 2020
Vector:	Local
Systems affected:	VerixV
Vendor:	Verifone
Notification status:	October 1, 2019 - Vendor notification date August 1, 2020 - Security advisory publication date

Severity level

All levels

High

Medium

Low

Date filters

Date range

Year Year

Month Month

Starts:

Year Year

Month Month

Ends:

Year Year

Month Month

Vendor

Company name Company name

Systems affected

Software name Software name

Show threats with CVE-ID

Reset filter

Editor’s Choice

June 17, 2022 Positive Research 2022
June 7, 2021 Positive Research 2021
December 7, 2020 Positive Research 2020