Bitdefender Gravityzone vulnerabilities
15 known vulnerabilities affecting bitdefender/gravityzone.
Total CVEs
15
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH6MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2014-5350P3MEDIUMCVSS 5.0PoC≤ 5.1.5.3862014-08-19
CVE-2014-5350 [MEDIUM] CWE-22 CVE-2014-5350: Multiple directory traversal vulnerabilities in Bitdefender GravityZone before 5.1.11.432 allow remo
Multiple directory traversal vulnerabilities in Bitdefender GravityZone before 5.1.11.432 allow remote attackers to read arbitrary files via a (1) .. (dot dot) in the id parameter to webservice/CORE/downloadFullKitEpc/a/1 in the Web Console or (2) %2E%2E (encoded dot dot) in the default URI to port 7074 on the Update Server.
nvd
CVE-2021-3554P2CRITICALCVSS 10.0fixed in 6.24.1-1v6.24.1-1+1 more2021-11-24
CVE-2021-3554 [CRITICAL] CWE-284 CVE-2021-3554: Improper Access Control vulnerability in the patchesUpdate API as implemented in Bitdefender Endpoin
Improper Access Control vulnerability in the patchesUpdate API as implemented in Bitdefender Endpoint Security Tools for Linux as a relay role allows an attacker to manipulate the remote address used for pulling patches. This issue affects: Bitdefender Endpoint Security Tools for Linux versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdef
nvd
CVE-2021-3823P3CRITICALCVSS 9.8fixed in 3.3.8.2492021-10-28
CVE-2021-3823 [CRITICAL] CWE-22 CVE-2021-3823: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects: Bitdefender GravityZone versions prior to 3.3.8.249.
nvd
CVE-2025-2244P3CRITICALCVSS 9.8fixed in 6.41.2-12025-04-04
CVE-2025-2244 [CRITICAL] CWE-502 CVE-2025-2244: A vulnerability in the sendMailFromRemoteSource method in Emails.php as used in Bitdefender Gravity
A vulnerability in the sendMailFromRemoteSource method in Emails.php as used in Bitdefender GravityZone Console unsafely uses php unserialize() on user-supplied input without validation. By crafting a malicious serialized payload, an attacker can trigger PHP object injection, perform a file write, and gain arbitrary command execution on the host syst
nvd
CVE-2022-2830P3CRITICALCVSS 9.8fixed in 6.27.2-2fixed in 6.29.2-12022-09-05
CVE-2022-2830 [CRITICAL] CWE-502 CVE-2022-2830: Deserialization of Untrusted Data vulnerability in the message processing component of Bitdefender G
Deserialization of Untrusted Data vulnerability in the message processing component of Bitdefender GravityZone Console allows an attacker to pass unsafe commands to the environment. This issue affects: Bitdefender GravityZone Console On-Premise versions prior to 6.29.2-1. Bitdefender GravityZone Cloud Console versions prior to 6.27.2-2.
nvd
CVE-2024-6980P3CRITICALCVSS 9.8fixed in 6.38.1-52024-07-31
CVE-2024-6980 [CRITICAL] CWE-209 CVE-2024-6980: A verbose error handling issue in the proxy service implemented in the GravityZone Update Server all
A verbose error handling issue in the proxy service implemented in the GravityZone Update Server allows an attacker to cause a server-side request forgery. This issue only affects GravityZone Console versions before 6.38.1-5 running only on premise.
nvd
CVE-2024-4177P3CRITICALCVSS 9.8fixed in 6.38.1-22024-06-06
CVE-2024-4177 [CRITICAL] CWE-116 CVE-2024-4177: A host whitelist parser issue in the proxy service implemented in the GravityZone Update Server allo
A host whitelist parser issue in the proxy service implemented in the GravityZone Update Server allows an attacker to cause a server-side request forgery. This issue only affects GravityZone Console versions before 6.38.1-2 that are running only on premise.
nvd
CVE-2017-8931P3CRITICALCVSS 9.8fixed in 6.2.1-352018-10-30
CVE-2017-8931 [CRITICAL] CVE-2017-8931: Bitdefender GravityZone VMware appliance before 6.2.1-35 might allow attackers to gain access with r
Bitdefender GravityZone VMware appliance before 6.2.1-35 might allow attackers to gain access with root privileges via unspecified vectors.
nvd
CVE-2021-3959P3HIGHCVSS 7.5fixed in 3.3.8.272≥ unspecified, < 3.3.8.2722021-12-16
CVE-2021-3959 [HIGH] CWE-918 CVE-2021-3959: A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService component of Bitdefender
A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService component of Bitdefender Endpoint Security Tools allows an attacker to proxy requests to the relay server. This issue affects: Bitdefender Bitdefender GravityZone versions prior to 3.3.8.272
nvd
CVE-2021-3553P3HIGHCVSS 7.5v6.24.1-1≥ unspecified, < 6.24.1-12021-11-24
CVE-2021-3553 [HIGH] CWE-918 CVE-2021-3553: A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService of Bitdefender Endpoint S
A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService of Bitdefender Endpoint Security Tools allows an attacker to use the Endpoint Protection relay as a proxy for any remote host. This issue affects: Bitdefender Endpoint Security Tools versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender Unified Endpoint for Linux
nvd
CVE-2021-3552P3HIGHCVSS 7.5v6.24.1-12021-11-24
CVE-2021-3552 [HIGH] CWE-918 CVE-2021-3552: A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService component of Bitdefender
A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService component of Bitdefender Endpoint Security Tools allows an attacker to proxy requests to the relay server. This issue affects: Bitdefender Endpoint Security Tools versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender GravityZone 6.24.1-1.
nvd
CVE-2025-2243P3HIGHCVSS 7.3fixed in 6.41.2-12025-04-04
CVE-2025-2243 [HIGH] CWE-918 CVE-2025-2243: A server-side request forgery (SSRF) vulnerability in Bitdefender GravityZone Console allows an atta
A server-side request forgery (SSRF) vulnerability in Bitdefender GravityZone Console allows an attacker to bypass input validation logic using leading characters in DNS requests. Paired with other potential vulnerabilities, this bypass could be used for execution of third party code. This issue affects GravityZone Console: before 6.41.2.1.
nvd
CVE-2021-3960P3HIGHCVSS 7.8fixed in 3.3.8.272≥ unspecified, < 3.3.8.2722021-12-16
CVE-2021-3960 [HIGH] CWE-22 CVE-2021-3960: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects Bitdefender GravityZone versions prior to 3.3.8.272
nvd
CVE-2022-0677P3HIGHCVSS 7.5fixed in 26.4-1≥ unspecified, < 26.4-12022-04-07
CVE-2022-0677 [HIGH] CWE-130 CVE-2022-0677: Improper Handling of Length Parameter Inconsistency vulnerability in the Update Server component of
Improper Handling of Length Parameter Inconsistency vulnerability in the Update Server component of Bitdefender Endpoint Security Tools (in relay role), GravityZone (in Update Server role) allows an attacker to cause a Denial-of-Service. This issue affects: Bitdefender Update Server versions prior to 3.4.0.276. Bitdefender GravityZone versions prior to 2
nvd
CVE-2021-3641P4MEDIUMCVSS 6.1≤ 7.1.2.33≥ unspecified, ≤ 7.1.2.332021-11-09
CVE-2021-3641 [MEDIUM] CWE-59 CVE-2021-3641: Improper Link Resolution Before File Access ('Link Following') vulnerability in the EPAG component o
Improper Link Resolution Before File Access ('Link Following') vulnerability in the EPAG component of Bitdefender Endpoint Security Tools for Windows allows a local attacker to cause a denial of service. This issue affects: Bitdefender GravityZone version 7.1.2.33 and prior versions.
nvd