Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-25567
Publication date:
12/03/2025
SoftEther VPN 5.02.5187 is vulnerable to Buffer Overflow in Internat.c via the UniToStrForSingleChars function. NOTE: the Supplier disputes this because the behavior only enables a local user to attack himself through the UI,
Severity CVSS v4.0: Pending analysis
Last modification:
19/07/2025

CVE-2025-25568
Publication date:
12/03/2025
SoftEtherVPN 5.02.5187 is vulnerable to Use after Free in the Command.c file via the CheckNetworkAcceptThread function. NOTE: the Supplier disputes this because the use-after-free is not in the VPN software, but is instead in a separate tool that has no untrusted input and runs under the user's own privileges (it is a stress-testing tool for a networking stack).
Severity CVSS v4.0: Pending analysis
Last modification:
19/07/2025

CVE-2025-20115
Publication date:
12/03/2025
A vulnerability in confederation implementation for the Border Gateway Protocol (BGP)&amp;nbsp;in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.<br /> <br /> This vulnerability is due to a memory corruption that occurs when a BGP update is created with an AS_CONFED_SEQUENCE attribute that has 255 autonomous system numbers (AS numbers). An attacker could exploit this vulnerability by sending a crafted BGP update message, or the network could be designed in such a manner that the AS_CONFED_SEQUENCE attribute grows to 255 AS numbers or more. A successful exploit could allow the attacker to cause memory corruption, which may cause the BGP process to restart, resulting in a DoS condition. To exploit this vulnerability, an attacker must control a BGP confederation speaker within the same autonomous system as the victim, or the network must be designed in such a manner that the AS_CONFED_SEQUENCE attribute grows to 255 AS numbers or more.
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2025

CVE-2025-20138
Publication date:
12/03/2025
A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device.<br /> <br /> This vulnerability is due to insufficient validation of user arguments that are passed to specific CLI commands. An attacker with a low-privileged account could exploit this vulnerability by using crafted commands at the prompt. A successful exploit could allow the attacker to elevate privileges to root and execute arbitrary commands.
Severity CVSS v4.0: Pending analysis
Last modification:
31/07/2025

CVE-2025-20141
Publication date:
12/03/2025
A vulnerability in the handling of specific packets that are punted from a line card to a route processor in Cisco IOS XR Software Release 7.9.2 could allow an unauthenticated, adjacent attacker to cause control plane traffic to stop working on multiple Cisco IOS XR platforms.&amp;nbsp;<br /> <br /> This vulnerability is due to incorrect handling of packets that are punted to the route processor. An attacker could exploit this vulnerability by sending traffic, which must be handled by the Linux stack on the route processor, to an affected device. A successful exploit could allow the attacker to cause control plane traffic to stop working, resulting in a denial of service (DoS) condition.
Severity CVSS v4.0: Pending analysis
Last modification:
06/08/2025

CVE-2025-20142
Publication date:
12/03/2025
A vulnerability in the IPv4 access control list (ACL) feature and quality of service (QoS) policy feature of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers, ASR 9902 Compact High-Performance Routers, and ASR 9903 Compact High-Performance Routers could allow an unauthenticated, remote attacker to cause a line card to reset, resulting in a denial of service (DoS) condition.<br /> <br /> This vulnerability is due to the incorrect handling of malformed IPv4 packets that are received on line cards where the interface has either an IPv4 ACL or QoS policy applied. An attacker could exploit this vulnerability by sending crafted IPv4 packets through an affected device. A successful exploit could allow the attacker to cause network processor errors, resulting in a reset or shutdown of the network process. Traffic over that line card would be lost while the line card reloads.<br /> Note: This vulnerability has predominantly been observed in Layer 2 VPN (L2VPN) environments where an IPv4 ACL or QoS policy has been applied to the bridge virtual interface. Layer 3 configurations where the interface has either an IPv4 ACL or QoS policy applied are also affected, though the vulnerability has not been observed.
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2025

CVE-2025-20143
Publication date:
12/03/2025
A vulnerability in the boot process of Cisco IOS XR Software could allow an authenticated, local attacker with high privileges to bypass the Secure Boot functionality and load unverified software on an affected device. To exploit this vulnerability, the attacker must have root-system privileges on the affected device.<br /> <br /> This vulnerability is due to insufficient verification of modules in the software load process. An attacker could exploit this vulnerability by manipulating the loaded binaries to bypass some of the integrity checks that are performed during the booting process. A successful exploit could allow the attacker to control the boot configuration, which could enable them to bypass the requirement to run Cisco-signed images or alter the security properties of the running system.<br /> Note: This vulnerability affects Cisco IOS XR Software, not the Secure Boot feature.<br /> Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2025

CVE-2025-20144
Publication date:
12/03/2025
A vulnerability in the hybrid access control list (ACL) processing of IPv4 packets in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL.<br /> <br /> This vulnerability is due to incorrect handling of packets when a specific configuration of the hybrid ACL exists. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to bypass a configured ACL on the affected device.<br /> For more information, see the section of this advisory.<br /> Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
04/08/2025

CVE-2025-1683
Publication date:
12/03/2025
Improper link resolution before file access in the Nomad module of the 1E Client, in versions prior to 25.3, enables an attacker with local unprivileged access on a Windows system to delete arbitrary files on the device by exploiting symbolic links.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2026

CVE-2025-0813
Publication date:
12/03/2025
CWE-287: Improper Authentication vulnerability exists that could cause an Authentication Bypass when an<br /> unauthorized user without permission rights has physical access to the EPAS-UI computer and is able to<br /> reboot the workstation and interrupt the normal boot process.
Severity CVSS v4.0: HIGH
Last modification:
15/04/2026

CVE-2025-0883
Publication date:
12/03/2025
Improper Neutralization of Script in an Error Message Web Page vulnerability in OpenText™ Service Manager. <br /> <br /> The vulnerability could reveal sensitive information retained by the browser.<br /> <br /> This issue affects Service Manager: 9.70, 9.71, 9.72, 9.80.
Severity CVSS v4.0: LOW
Last modification:
15/04/2026

CVE-2025-0884
Publication date:
12/03/2025
Unquoted Search Path or Element vulnerability in OpenText™ Service Manager. <br /> <br /> The vulnerability could allow a user to gain SYSTEM privileges through Privilege Escalation.<br /> <br /> This issue affects Service Manager: 9.70, 9.71, 9.72.
Severity CVSS v4.0: HIGH
Last modification:
15/04/2026
Subscribe to Vulnerabilities