cybelesoft CVE Vulnerabilities & Metrics

Focus on cybelesoft vulnerabilities and metrics.

Last updated: 18 May 2025, 22:25 UTC

About cybelesoft Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with cybelesoft. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total cybelesoft CVEs: 13
Earliest CVE date: 06 Oct 2017, 22:29 UTC
Latest CVE date: 13 Nov 2024, 23:15 UTC

Latest CVE reference: CVE-2024-40410

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 5

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical cybelesoft CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 3.28

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	5
4.0-6.9	7
7.0-8.9	1
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS cybelesoft CVEs

These are the five CVEs with the highest CVSS scores for cybelesoft, sorted by severity first and recency.

CVE-2021-45092 cybelesoft Published on 16 Dec 2021, 04:15 UTC (CVSS: 7.5)
Thinfinity VirtualUI before 3.0 has functionality in /lab.html reachable by default that could allow IFRAME injection via the vpath parameter.
CVE-2022-25227 cybelesoft Published on 20 May 2022, 12:15 UTC (CVSS: 6.8)
Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an 'ID' that can be used to send websocket requests and achieve RCE.
CVE-2021-46354 cybelesoft Published on 09 Feb 2022, 14:15 UTC (CVSS: 5.0)
Thinfinity VirtualUI 2.1.28.0, 2.1.32.1 and 2.5.26.2, fixed in version 3.0 is affected by an information disclosure vulnerability in the parameter "Addr" in cmd site. The ability to send requests to other systems can allow the vulnerable server to filtrate the real IP of the web server or increase the attack surface.
CVE-2021-44554 cybelesoft Published on 20 Dec 2021, 09:15 UTC (CVSS: 5.0)
Thinfinity VirtualUI before 3.0 allows a malicious actor to enumerate users registered in the OS (Windows) through the /changePassword URI. By accessing the vector, an attacker can determine if a username exists thanks to the message returned; it can be presented in different languages according to the configuration of VirtualUI. Common users are administrator, admin, guest and krgtbt.
CVE-2021-44848 cybelesoft Published on 13 Dec 2021, 02:15 UTC (CVSS: 5.0)
In Cibele Thinfinity VirtualUI before 3.0, /changePassword returns different responses for invalid authentication requests depending on whether the username exists.

All CVEs for cybelesoft

CVE-2024-40410 cybelesoft vulnerability CVSS: 0 13 Nov 2024, 23:15 UTC

Cybele Software Thinfinity Workspace before v7.0.2.113 was discovered to contain a hardcoded cryptographic key used for encryption.

CVE-2024-40408 cybelesoft vulnerability CVSS: 0 13 Nov 2024, 23:15 UTC

Cybele Software Thinfinity Workspace before v7.0.2.113 was discovered to contain an access control issue in the Create Profile section. This vulnerability allows attackers to create arbitrary user profiles with elevated privileges.

CVE-2024-40407 cybelesoft vulnerability CVSS: 0 13 Nov 2024, 23:15 UTC

A full path disclosure in Cybele Software Thinfinity Workspace before v7.0.2.113 allows attackers to obtain the root path of the application via unspecified vectors.

CVE-2024-40405 cybelesoft vulnerability CVSS: 0 13 Nov 2024, 23:15 UTC

Incorrect access control in Cybele Software Thinfinity Workspace before v7.0.3.109 allows attackers to gain access to a secondary broker via a crafted request.

CVE-2024-40404 cybelesoft vulnerability CVSS: 0 13 Nov 2024, 23:15 UTC

Cybele Software Thinfinity Workspace before v7.0.2.113 was discovered to contain an access control issue in the API endpoint where Web Sockets connections are established.

CVE-2022-25227 cybelesoft vulnerability CVSS: 6.8 20 May 2022, 12:15 UTC

Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an 'ID' that can be used to send websocket requests and achieve RCE.

CVE-2021-46354 cybelesoft vulnerability CVSS: 5.0 09 Feb 2022, 14:15 UTC

Thinfinity VirtualUI 2.1.28.0, 2.1.32.1 and 2.5.26.2, fixed in version 3.0 is affected by an information disclosure vulnerability in the parameter "Addr" in cmd site. The ability to send requests to other systems can allow the vulnerable server to filtrate the real IP of the web server or increase the attack surface.

CVE-2021-44554 cybelesoft vulnerability CVSS: 5.0 20 Dec 2021, 09:15 UTC

Thinfinity VirtualUI before 3.0 allows a malicious actor to enumerate users registered in the OS (Windows) through the /changePassword URI. By accessing the vector, an attacker can determine if a username exists thanks to the message returned; it can be presented in different languages according to the configuration of VirtualUI. Common users are administrator, admin, guest and krgtbt.

CVE-2021-45092 cybelesoft vulnerability CVSS: 7.5 16 Dec 2021, 04:15 UTC

Thinfinity VirtualUI before 3.0 has functionality in /lab.html reachable by default that could allow IFRAME injection via the vpath parameter.

CVE-2021-44848 cybelesoft vulnerability CVSS: 5.0 13 Dec 2021, 02:15 UTC

In Cibele Thinfinity VirtualUI before 3.0, /changePassword returns different responses for invalid authentication requests depending on whether the username exists.

CVE-2019-16385 cybelesoft vulnerability CVSS: 4.3 04 Jun 2020, 16:15 UTC

Cybele Thinfinity VirtualUI 2.5.17.2 allows HTTP response splitting via the mimetype parameter within a PDF viewer request, as demonstrated by an example.pdf?mimetype= substring. The victim user must load an application request to view a PDF, containing the malicious payload. This results in a reflected XSS payload being executed.

CVE-2019-16384 cybelesoft vulnerability CVSS: 4.0 04 Jun 2020, 16:15 UTC

Cybele Thinfinity VirtualUI 2.5.17.2 allows ../ path traversal that can be used for data exfiltration. This enables files outside of the web directory to be retrieved if the exact location is known and the user has permissions.

CVE-2015-1429 cybelesoft vulnerability CVSS: 5.0 06 Oct 2017, 22:29 UTC

Directory traversal vulnerability in Cybele Software Thinfinity Remote Desktop Workstation 3.0.0.3 32-bit and 64-bit allows remote attackers to download arbitrary files via a .. (dot dot) in an unspecified parameter.