All CosmicBytez Labs articles tagged #IoT, across news, security advisories, how-to guides, and projects.
A critical CVSS 9.8 buffer overflow vulnerability in Tenda AC10 v3 firmware V03.03.16.09 allows remote attackers to cause permanent denial of service or execute arbitrary code via the /cgi-bin/UploadCfg endpoint.
A vulnerability in KNX Association KNX Protocol Connection Authorization Option 1 allows an attacker to purge all devices without additional security options enabled and set a BCU key to lock the device. CISA added this flaw to the Known Exploited Vulnerabilities catalog on July 15, 2026.
A CVSS 9.8 critical OS command injection vulnerability in the Comfast CF-WR631AX V3 router allows unauthenticated network-adjacent attackers to execute arbitrary commands via a manipulated filename argument in the FastCGI backend webmgnt binary.
Researchers have discovered six vulnerabilities in the widely deployed U-Boot bootloader that could allow attackers to execute malicious code at boot time, bypassing OS-level security protections and installing persistent firmware implants.
Security firm runZero has disclosed seven vulnerabilities in FatFs, a widely used FAT/exFAT filesystem library embedded in cameras, drones, crypto...
A critical CVSS 10.0 stack-based buffer overflow in the GeoVision GV-I/O Box 4E DVRSearch service allows unauthenticated remote attackers to achieve...
Multiple OS command injection vulnerabilities in GeoVision GV-I/O Box 4E firmware 2.09 allow attackers with network access to execute arbitrary system...
A second critical CVSS 10.0 stack-based buffer overflow in GeoVision GV-I/O Box 4E firmware 2.09 — this time in the Net Mask field handling of the...
A critical OS command injection flaw in the Lantronix EDS5000 serial device server allows unauthenticated attackers to inject arbitrary commands via the...
A critical CVSS 9.8 vulnerability in a local MQTT broker fails to enforce topic-level ACLs, allowing any client to use wildcard characters to enumerate hidden…
A CVSS 9.8 critical vulnerability in Snap One WattBox 800 and 820 series firmware exposes undisclosed diagnostic HTTP endpoints protected only by the...
A critical unauthenticated OS command injection vulnerability in the Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote attackers to...
A critical CVSS 9.8 OS command injection vulnerability in the Totolink A8000RU router allows unauthenticated remote attackers to execute arbitrary...
A critical CVSS 9.9 elevation of privilege vulnerability in Azure IoT Central allows an authenticated attacker to escalate privileges over a network by...
A critical OS command injection vulnerability (CVSS 9.8) in Totolink A7100RU firmware allows unauthenticated remote attackers to execute arbitrary...
A critical OS command injection flaw (CVSS 9.8) in Totolink A7100RU enables remote unauthenticated attackers to execute arbitrary commands by manipulating...
CVE-2026-6114 is a critical OS command injection vulnerability (CVSS 9.8) in the Totolink A7100RU router's setNetworkCfg function, exploitable remotely...
CVE-2026-6115 describes a critical OS command injection vulnerability (CVSS 9.8) in the Totolink A7100RU router, exploitable remotely and without...
A CVSS 10 critical vulnerability in the Sonos Era 300 smart speaker allows unauthenticated remote attackers to execute arbitrary code by exploiting an...
A critical OS command injection vulnerability (CVSS 9.8) in TOTOLINK A7100RU routers allows unauthenticated remote attackers to execute arbitrary system...
A second critical OS command injection vulnerability (CVSS 9.8) in TOTOLINK A7100RU routers allows unauthenticated remote attackers to execute arbitrary...
A joint operation by the US Department of Justice, Canada, and Germany has dismantled the infrastructure behind four highly disruptive IoT botnets that...
This week's cybersecurity roundup covers supply chain attacks hitting CI/CD pipelines, long-running IoT botnets finally disrupted, the FBI's warrantless...
A CVSS 9.8 Critical stack-based buffer overflow in Tenda A15 firmware 15.13.07.13 allows unauthenticated remote attackers to execute arbitrary code by...
A CVSS 8.8 stack-based buffer overflow in D-Link DHP-1320 firmware 1.00WWB04 allows unauthenticated remote attackers to execute arbitrary code via a...
The U.S. Department of Justice, in coordination with Germany and Canada, has dismantled the C2 infrastructure of four major IoT botnets — AISURU, Kimwolf,...
IoT botnet Kimwolf launches sustained attack against The Invisible Internet Project (I2P), disrupting the encrypted, decentralized communications network...
CVE-2026-0625 allows unauthenticated remote code execution on legacy D-Link DSL routers. Devices are end-of-life with no patches forthcoming. Immediate...