We will be performing scheduled maintenance on our core systems. Online/Mobile Banking and our Bank-By-Phone system will be unavailable on Saturday, December 13, from 10:00 PM (PT) until 4:00 AM (PT) on Sunday, December 14. Thank you for your patience.
Nhdta-793 Exclusive Jun 2026
The TransferRequest class implements java.io.Serializable and contains a field that is never validated. Because Java deserialization is inherently unsafe, an attacker can embed a gadget chain (e.g., from the Apache Commons Collections 3.1 library) that executes arbitrary commands during deserialization.
| Attribute | Detail | |-----------|--------| | | NHDTA‑793 | | CVE | CVE‑2025‑XXXXX (assigned by MITRE) | | Vendor | NetHome Technologies, Inc. | | Product | NetHome Data Transfer Agent (NHDTA) – versions 1.2.0 through 3.4.9 | | Vulnerability type | Remote Code Execution (RCE) – Unauthenticated deserialization of user‑controlled data | | CVSS v3.1 Base Score | 9.8 (Critical) | | Vector | Network (AV:N) / Adjacent Network (AV:A) – depends on deployment | | Complexity | Low (AC:L) | | Privileges Required | None (PR:N) | | User Interaction | None (UI:N) | | Scope | Unchanged (S:U) | | Confidentiality / Integrity / Availability Impact | C/I/A: High | | Discovery date | 2025‑11‑08 | | Public disclosure | 2026‑02‑15 (Full advisory) | | Patch release | 2026‑03‑02 (v3.5.0) | nhdta-793
After the request returns 200 OK , check the target for the indicator file: The TransferRequest class implements java