Justus W. Perlwitz found and helped mitigate the following vulnerabilities.
CVE-2025-9014
A Null Pointer Dereference vulnerability exists in the referer header check of the web portal of TP-Link TL-WR841N v14, caused by improper input validation. A remote, unauthenticated attacker can exploit this flaw and cause Denial of Service on the web portal service.This issue affects TL-WR841N v14: before 250908.
Sources
- Conference talk: QEMU and AFL++ fuzzing for MIPS-based networking equipment
- Slides
- CVE: https://www.cve.org/CVERecord?id=CVE-2025-9014
JVN#83788689
Sensitive information may be accessed from process memory (CVE-2015-1548)
Justus W. Perlwitz of JWP Consulting reported this vulnerability to BUFFALO INC. and coordinated.
After the coordination was completed, BUFFALO INC. reported the case to JPCERT/CC to notify users of the solution through JVN.
Sources
- JVN (English): https://jvn.jp/en/jp/JVN83788689/
- JVN (Japanese): https://jvn.jp/jp/JVN83788689/
- Manufacturer (Japanese): https://www.buffalo.jp/news/detail/20260323-01.html
CVE-2025-41725
JBL: DoS vulnerability in Flip 4
The Bluetooth Classic implementation on JBL Flip 4 devices with firmware version prior to 4.1.0 does not properlym,handle malformed LMP messages and causes the entire device to crash. Any attacker in radio range can exploit this vulnerability.