Search

Find a vulnerability

Search criteria

    101 vulnerabilities by I-O DATA DEVICE, INC.

    CVE-2025-61865 (GCVE-0-2025-61865)

    Vulnerability from nvd – Published: 2025-10-23 04:14 – Updated: 2025-12-10 06:36
    VLAI
    Summary
    Multiple NAS management applications provided by I-O DATA DEVICE, INC. register Windows services with unquoted file paths. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-428 - Unquoted search path or element
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-61865",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-23T15:00:13.400065Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-23T15:00:29.366Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "NarSuS App",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.33"
                }
              ]
            },
            {
              "product": "Clone for Windows",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver2.36"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple NAS management applications provided by I-O DATA DEVICE, INC. register Windows services with unquoted file paths. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 6.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-428",
                  "description": "Unquoted search path or element",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-10T06:36:23.383Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.iodata.jp/support/information/2025/10_NarSuS_App/"
            },
            {
              "url": "https://www.iodata.jp/support/information/2025/12_CloneforWindows/"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN03295012/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-61865",
        "datePublished": "2025-10-23T04:14:50.057Z",
        "dateReserved": "2025-10-02T07:57:52.217Z",
        "dateUpdated": "2025-12-10T06:36:23.383Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-58116 (GCVE-0-2025-58116)

    Vulnerability from nvd – Published: 2025-09-17 03:08 – Updated: 2025-09-17 13:34
    VLAI
    Summary
    Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in WN-7D36QR and WN-7D36QR/UE. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote authenticated attacker.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    I-O DATA DEVICE, INC. WN-7D36QR Affected: firmware Ver.1.1.3 and prior versions
    Create a notification for this product.
    I-O DATA DEVICE, INC. WN-7D36QR/UE Affected: firmware Ver.1.1.3 and prior versions
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-58116",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-17T13:33:50.768851Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-17T13:34:00.567Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "WN-7D36QR",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.1.1.3 and prior versions"
                }
              ]
            },
            {
              "product": "WN-7D36QR/UE",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.1.1.3 and prior versions"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) issue exists in WN-7D36QR and WN-7D36QR/UE. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote authenticated attacker."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-17T03:08:40.791Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.iodata.jp/support/information/2025/09_wn-7d36qr/index.htm"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU97490987/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-58116",
        "datePublished": "2025-09-17T03:08:40.791Z",
        "dateReserved": "2025-09-10T08:04:11.408Z",
        "dateUpdated": "2025-09-17T13:34:00.567Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-55075 (GCVE-0-2025-55075)

    Vulnerability from nvd – Published: 2025-09-17 03:08 – Updated: 2025-09-17 13:38
    VLAI
    Summary
    Hidden functionality issue exists in WN-7D36QR and WN-7D36QR/UE. If this vulnerability is exploited, SSH may be enabled by a remote authenticated attacker.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    I-O DATA DEVICE, INC. WN-7D36QR Affected: firmware Ver.1.1.3 and prior versions
    Create a notification for this product.
    I-O DATA DEVICE, INC. WN-7D36QR/UE Affected: firmware Ver.1.1.3 and prior versions
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55075",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-17T13:37:37.096884Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-17T13:38:05.944Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "WN-7D36QR",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.1.1.3 and prior versions"
                }
              ]
            },
            {
              "product": "WN-7D36QR/UE",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.1.1.3 and prior versions"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hidden functionality issue exists in WN-7D36QR and WN-7D36QR/UE. If this vulnerability is exploited, SSH may be enabled by a remote authenticated attacker."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-912",
                  "description": "Hidden functionality",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-17T03:08:37.275Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.iodata.jp/support/information/2025/09_wn-7d36qr/index.htm"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU97490987/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-55075",
        "datePublished": "2025-09-17T03:08:37.275Z",
        "dateReserved": "2025-09-10T08:04:14.006Z",
        "dateUpdated": "2025-09-17T13:38:05.944Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-32738 (GCVE-0-2025-32738)

    Vulnerability from nvd – Published: 2025-05-15 08:48 – Updated: 2025-05-15 13:59
    VLAI
    Summary
    Missing authentication for critical function issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier. If exploited, a remote unauthenticated attacker may change the product settings.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing authentication for critical function
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-32738",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-15T13:49:48.202499Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-15T13:59:02.855Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "HDL-TC1",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-TC500",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-T1NV",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-T1WH",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-T2NV",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-T2WH",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-T3NV",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-T3WH",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Missing authentication for critical function issue exists in I-O DATA network attached hard disk \u0027HDL-T Series\u0027 firmware Ver.1.21 and earlier. If exploited, a remote unauthenticated attacker may change the product settings."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "Missing authentication for critical function",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-15T08:48:19.734Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.iodata.jp/support/information/2025/05_hdl-t/"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU91726405/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-32738",
        "datePublished": "2025-05-15T08:48:19.734Z",
        "dateReserved": "2025-04-15T08:43:36.600Z",
        "dateUpdated": "2025-05-15T13:59:02.855Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-32002 (GCVE-0-2025-32002)

    Vulnerability from nvd – Published: 2025-05-15 08:48 – Updated: 2025-05-15 14:00
    VLAI
    Summary
    Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier when 'Remote Link3 function' is enabled. If exploited, a remote unauthenticated attacker may execute an arbitrary OS command.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-32002",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-15T13:59:55.448041Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-15T14:00:55.838Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "HDL-TC1",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-TC500",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-T1NV",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-T1WH",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-T2NV",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-T2WH",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-T3NV",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-T3WH",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) issue exists in I-O DATA network attached hard disk \u0027HDL-T Series\u0027 firmware Ver.1.21 and earlier when \u0027Remote Link3 function\u0027 is enabled. If exploited, a remote unauthenticated attacker may execute an arbitrary OS command."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-15T08:48:12.065Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.iodata.jp/support/information/2025/05_hdl-t/"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU91726405/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-32002",
        "datePublished": "2025-05-15T08:48:12.065Z",
        "dateReserved": "2025-04-15T08:43:39.460Z",
        "dateUpdated": "2025-05-15T14:00:55.838Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-26856 (GCVE-0-2025-26856)

    Vulnerability from nvd – Published: 2025-02-20 05:49 – Updated: 2025-02-20 16:15
    VLAI
    Summary
    Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If an attacker logs in to the affected product with an administrative account and manipulates requests for a certain screen operation, an arbitrary OS command may be executed. This vulnerability was reported on a different screen operation from CVE-2025-20617.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    I-O DATA DEVICE, INC. UD-LT2 Affected: firmware Ver.1.00.008_SE and earlier
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-26856",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-20T16:15:09.554134Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-20T16:15:20.874Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "UD-LT2",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.1.00.008_SE and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If an attacker logs in to the affected product with an administrative account and manipulates requests for a certain screen operation, an arbitrary OS command may be executed. This vulnerability was reported on a different screen operation from CVE-2025-20617."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-20T05:49:49.402Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.iodata.jp/support/information/2025/01_ud-lt2/"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN15293958/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-26856",
        "datePublished": "2025-02-20T05:49:49.402Z",
        "dateReserved": "2025-02-17T00:29:49.508Z",
        "dateUpdated": "2025-02-20T16:15:20.874Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-23237 (GCVE-0-2025-23237)

    Vulnerability from nvd – Published: 2025-01-22 05:50 – Updated: 2025-02-12 20:41
    VLAI
    Summary
    Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If a user logs in to CLI of the affected product, an arbitrary OS command may be executed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    I-O DATA DEVICE, INC. UD-LT2 Affected: firmware Ver.1.00.008_SE and earlier
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-23237",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-22T14:33:28.348307Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:22.887Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "UD-LT2",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.1.00.008_SE and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If a user logs in to CLI of the affected product, an arbitrary OS command may be executed."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 6.6,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-22T05:50:14.930Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.iodata.jp/support/information/2025/01_ud-lt2/"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN15293958/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-23237",
        "datePublished": "2025-01-22T05:50:14.930Z",
        "dateReserved": "2025-01-16T07:05:52.884Z",
        "dateUpdated": "2025-02-12T20:41:22.887Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-22450 (GCVE-0-2025-22450)

    Vulnerability from nvd – Published: 2025-01-22 05:49 – Updated: 2025-02-12 20:41
    VLAI
    Summary
    Inclusion of undocumented features issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. A remote attacker may disable the LAN-side firewall function of the affected products, and open specific ports.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1242 - Inclusion of undocumented features or chicken bits
    Assigner
    Impacted products
    Vendor Product Version
    I-O DATA DEVICE, INC. UD-LT2 Affected: firmware Ver.1.00.008_SE and earlier
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22450",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-22T14:33:09.160199Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:22.761Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "UD-LT2",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.1.00.008_SE and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Inclusion of undocumented features issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. A remote attacker may disable the LAN-side firewall function of the affected products, and open specific ports."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1242",
                  "description": "Inclusion of undocumented features or chicken bits",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-22T05:49:13.793Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.iodata.jp/support/information/2025/01_ud-lt2/"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN15293958/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-22450",
        "datePublished": "2025-01-22T05:49:13.793Z",
        "dateReserved": "2025-01-16T07:05:53.738Z",
        "dateUpdated": "2025-02-12T20:41:22.761Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-20617 (GCVE-0-2025-20617)

    Vulnerability from nvd – Published: 2025-01-22 05:48 – Updated: 2025-02-20 05:51
    VLAI
    Summary
    Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If an attacker logs in to the affected product with an administrative account and manipulates requests for a certain screen operation, an arbitrary OS command may be executed. This vulnerability was reported on a different screen operation from CVE-2025-26856.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    I-O DATA DEVICE, INC. UD-LT2 Affected: firmware Ver.1.00.008_SE and earlier
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-20617",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-22T14:32:52.824972Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:22.567Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "UD-LT2",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.1.00.008_SE and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If an attacker logs in to the affected product with an administrative account and manipulates requests for a certain screen operation, an arbitrary OS command may be executed. This vulnerability was reported on a different screen operation from CVE-2025-26856."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-20T05:51:16.359Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.iodata.jp/support/information/2025/01_ud-lt2/"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN15293958/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-20617",
        "datePublished": "2025-01-22T05:48:18.973Z",
        "dateReserved": "2025-01-16T07:05:54.779Z",
        "dateUpdated": "2025-02-20T05:51:16.359Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-52564 (GCVE-0-2024-52564)

    Vulnerability from nvd – Published: 2024-12-05 09:41 – Updated: 2025-01-29 04:55
    VLAI
    Summary
    Inclusion of undocumented features or chicken bits issue exists in UD-LT1 firmware Ver.2.1.8 and earlier and UD-LT1/EX firmware Ver.2.1.8 and earlier. A remote attacker may disable the firewall function of the affected products. As a result, an arbitrary OS command may be executed and/or configuration settings of the device may be altered.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1242 - Inclusion of undocumented features or chicken bits
    Assigner
    Impacted products
    Vendor Product Version
    I-O DATA DEVICE, INC. UD-LT1 Affected: firmware Ver.2.1.8 and earlier
    Create a notification for this product.
    I-O DATA DEVICE, INC. UD-LT1/EX Affected: firmware Ver.2.1.8 and earlier
    Create a notification for this product.
    iodata ud-lt1_firmware Affected: 0 , ≤ 2.1.8 (custom)
        cpe:2.3:o:iodata:ud-lt1_firmware:*:*:*:*:*:*:*:*
    Create a notification for this product.
    iodata ud-lt1\/ex_firmware Affected: 0 , ≤ 2.1.8 (custom)
        cpe:2.3:o:iodata:ud-lt1\/ex_firmware:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:o:iodata:ud-lt1_firmware:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ud-lt1_firmware",
                "vendor": "iodata",
                "versions": [
                  {
                    "lessThanOrEqual": "2.1.8",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:o:iodata:ud-lt1\\/ex_firmware:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ud-lt1\\/ex_firmware",
                "vendor": "iodata",
                "versions": [
                  {
                    "lessThanOrEqual": "2.1.8",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-52564",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-06T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-29T04:55:28.107Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "UD-LT1",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.2.1.8 and earlier"
                }
              ]
            },
            {
              "product": "UD-LT1/EX",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.2.1.8 and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Inclusion of undocumented features or chicken bits issue exists in UD-LT1 firmware Ver.2.1.8 and earlier and UD-LT1/EX firmware Ver.2.1.8 and earlier. A remote attacker may disable the firewall function of the affected products. As a result, an arbitrary OS command may be executed and/or configuration settings of the device may be altered."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1242",
                  "description": "Inclusion of undocumented features or chicken bits",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-05T09:41:39.909Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.iodata.jp/support/information/2024/11_ud-lt1/"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN46615026/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-52564",
        "datePublished": "2024-12-05T09:41:39.909Z",
        "dateReserved": "2024-11-14T01:18:51.324Z",
        "dateUpdated": "2025-01-29T04:55:28.107Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-47133 (GCVE-0-2024-47133)

    Vulnerability from nvd – Published: 2024-12-05 09:40 – Updated: 2024-12-18 06:33
    VLAI
    Summary
    UD-LT1 firmware Ver.2.1.9 and earlier and UD-LT1/EX firmware Ver.2.1.9 and earlier allow a remote authenticated attacker with an administrative account to execute arbitrary OS commands.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    I-O DATA DEVICE, INC. UD-LT1 Affected: firmware Ver.2.1.9 and earlier
    Create a notification for this product.
    I-O DATA DEVICE, INC. UD-LT1/EX Affected: firmware Ver.2.1.9 and earlier
    Create a notification for this product.
    iodata ud-lt1_firmware Affected: 0 , ≤ 2.1.8 (custom)
        cpe:2.3:o:iodata:ud-lt1_firmware:*:*:*:*:*:*:*:*
    Create a notification for this product.
    iodata ud-lt1\/ex_firmware Affected: 0 , ≤ 2.1.8 (custom)
        cpe:2.3:o:iodata:ud-lt1\/ex_firmware:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:o:iodata:ud-lt1_firmware:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ud-lt1_firmware",
                "vendor": "iodata",
                "versions": [
                  {
                    "lessThanOrEqual": "2.1.8",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:o:iodata:ud-lt1\\/ex_firmware:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ud-lt1\\/ex_firmware",
                "vendor": "iodata",
                "versions": [
                  {
                    "lessThanOrEqual": "2.1.8",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-47133",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-05T18:44:10.055478Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-05T18:50:28.298Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "UD-LT1",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.2.1.9 and earlier"
                }
              ]
            },
            {
              "product": "UD-LT1/EX",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.2.1.9 and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "UD-LT1 firmware Ver.2.1.9 and earlier and UD-LT1/EX firmware Ver.2.1.9 and earlier allow a remote authenticated attacker with an administrative account to execute arbitrary OS commands."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-18T06:33:27.182Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.iodata.jp/support/information/2024/11_ud-lt1/"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN46615026/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-47133",
        "datePublished": "2024-12-05T09:40:48.474Z",
        "dateReserved": "2024-11-22T00:54:46.024Z",
        "dateUpdated": "2024-12-18T06:33:27.182Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-45841 (GCVE-0-2024-45841)

    Vulnerability from nvd – Published: 2024-12-05 09:39 – Updated: 2024-12-18 06:32
    VLAI
    Summary
    Incorrect permission assignment for critical resource issue exists in UD-LT1 firmware Ver.2.1.9 and earlier and UD-LT1/EX firmware Ver.2.1.9 and earlier. If an attacker with the guest account of the affected products accesses a specific file, the information containing credentials may be obtained.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-732 - Incorrect permission assignment for critical resource
    Assigner
    Impacted products
    Vendor Product Version
    I-O DATA DEVICE, INC. UD-LT1 Affected: firmware Ver.2.1.9 and earlier
    Create a notification for this product.
    I-O DATA DEVICE, INC. UD-LT1/EX Affected: firmware Ver.2.1.9 and earlier
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-45841",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-05T11:04:58.403624Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-05T11:13:24.038Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "UD-LT1",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.2.1.9 and earlier"
                }
              ]
            },
            {
              "product": "UD-LT1/EX",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.2.1.9 and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Incorrect permission assignment for critical resource issue exists in UD-LT1 firmware Ver.2.1.9 and earlier and UD-LT1/EX firmware Ver.2.1.9 and earlier. If an attacker with the guest account of the affected products accesses a specific file, the information containing credentials may be obtained."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-732",
                  "description": "Incorrect permission assignment for critical resource",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-18T06:32:37.504Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.iodata.jp/support/information/2024/11_ud-lt1/"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN46615026/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-45841",
        "datePublished": "2024-12-05T09:39:36.181Z",
        "dateReserved": "2024-11-22T00:54:44.862Z",
        "dateUpdated": "2024-12-18T06:32:37.504Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-0663 (GCVE-0-2018-0663)

    Vulnerability from nvd – Published: 2018-09-07 14:00 – Updated: 2024-08-05 03:35
    VLAI
    Summary
    Multiple I-O DATA network camera products (TS-WRLP firmware Ver.1.09.04 and earlier, TS-WRLA firmware Ver.1.09.04 and earlier, TS-WRLP/E firmware Ver.1.09.04 and earlier) use hardcoded credentials which may allow an remote authenticated attacker to execute arbitrary OS commands on the device via unspecified vector.
    Severity
    No CVSS data available.
    CWE
    • Use of Hard-coded Credentials
    Assigner
    References
    URL Tags
    http://www.iodata.jp/support/information/2018/ts-wrlp/ x_refsource_CONFIRM
    http://jvn.jp/en/jp/JVN83701666/index.html third-party-advisoryx_refsource_JVN
    Impacted products
    Vendor Product Version
    I-O DATA DEVICE, INC. Multiple I-O DATA network camera products Affected: (TS-WRLP firmware Ver.1.09.04 and earlier, TS-WRLA firmware Ver.1.09.04 and earlier, TS-WRLP/E firmware Ver.1.09.04 and earlier)
    Create a notification for this product.
    Date Public
    2018-08-07 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T03:35:49.100Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://www.iodata.jp/support/information/2018/ts-wrlp/"
              },
              {
                "name": "JVN#83701666",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_JVN",
                  "x_transferred"
                ],
                "url": "http://jvn.jp/en/jp/JVN83701666/index.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Multiple I-O DATA network camera products",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "(TS-WRLP firmware Ver.1.09.04 and earlier, TS-WRLA firmware Ver.1.09.04 and earlier, TS-WRLP/E firmware Ver.1.09.04 and earlier)"
                }
              ]
            }
          ],
          "datePublic": "2018-08-07T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple I-O DATA network camera products (TS-WRLP firmware Ver.1.09.04 and earlier, TS-WRLA firmware Ver.1.09.04 and earlier, TS-WRLP/E firmware Ver.1.09.04 and earlier) use hardcoded credentials which may allow an remote authenticated attacker to execute arbitrary OS commands on the device via unspecified vector."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-09-07T13:57:01.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://www.iodata.jp/support/information/2018/ts-wrlp/"
            },
            {
              "name": "JVN#83701666",
              "tags": [
                "third-party-advisory",
                "x_refsource_JVN"
              ],
              "url": "http://jvn.jp/en/jp/JVN83701666/index.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vultures@jpcert.or.jp",
              "ID": "CVE-2018-0663",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Multiple I-O DATA network camera products",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "(TS-WRLP firmware Ver.1.09.04 and earlier, TS-WRLA firmware Ver.1.09.04 and earlier, TS-WRLP/E firmware Ver.1.09.04 and earlier)"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "I-O DATA DEVICE, INC."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Multiple I-O DATA network camera products (TS-WRLP firmware Ver.1.09.04 and earlier, TS-WRLA firmware Ver.1.09.04 and earlier, TS-WRLP/E firmware Ver.1.09.04 and earlier) use hardcoded credentials which may allow an remote authenticated attacker to execute arbitrary OS commands on the device via unspecified vector."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Use of Hard-coded Credentials"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "http://www.iodata.jp/support/information/2018/ts-wrlp/",
                  "refsource": "CONFIRM",
                  "url": "http://www.iodata.jp/support/information/2018/ts-wrlp/"
                },
                {
                  "name": "JVN#83701666",
                  "refsource": "JVN",
                  "url": "http://jvn.jp/en/jp/JVN83701666/index.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2018-0663",
        "datePublished": "2018-09-07T14:00:00.000Z",
        "dateReserved": "2017-11-27T00:00:00.000Z",
        "dateUpdated": "2024-08-05T03:35:49.100Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-61865 (GCVE-0-2025-61865)

    Vulnerability from cvelistv5 – Published: 2025-10-23 04:14 – Updated: 2025-12-10 06:36
    VLAI
    Summary
    Multiple NAS management applications provided by I-O DATA DEVICE, INC. register Windows services with unquoted file paths. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-428 - Unquoted search path or element
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-61865",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-23T15:00:13.400065Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-23T15:00:29.366Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "NarSuS App",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.33"
                }
              ]
            },
            {
              "product": "Clone for Windows",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver2.36"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple NAS management applications provided by I-O DATA DEVICE, INC. register Windows services with unquoted file paths. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 6.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-428",
                  "description": "Unquoted search path or element",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-10T06:36:23.383Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.iodata.jp/support/information/2025/10_NarSuS_App/"
            },
            {
              "url": "https://www.iodata.jp/support/information/2025/12_CloneforWindows/"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN03295012/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-61865",
        "datePublished": "2025-10-23T04:14:50.057Z",
        "dateReserved": "2025-10-02T07:57:52.217Z",
        "dateUpdated": "2025-12-10T06:36:23.383Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-58116 (GCVE-0-2025-58116)

    Vulnerability from cvelistv5 – Published: 2025-09-17 03:08 – Updated: 2025-09-17 13:34
    VLAI
    Summary
    Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in WN-7D36QR and WN-7D36QR/UE. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote authenticated attacker.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    I-O DATA DEVICE, INC. WN-7D36QR Affected: firmware Ver.1.1.3 and prior versions
    Create a notification for this product.
    I-O DATA DEVICE, INC. WN-7D36QR/UE Affected: firmware Ver.1.1.3 and prior versions
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-58116",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-17T13:33:50.768851Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-17T13:34:00.567Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "WN-7D36QR",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.1.1.3 and prior versions"
                }
              ]
            },
            {
              "product": "WN-7D36QR/UE",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.1.1.3 and prior versions"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) issue exists in WN-7D36QR and WN-7D36QR/UE. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote authenticated attacker."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-17T03:08:40.791Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.iodata.jp/support/information/2025/09_wn-7d36qr/index.htm"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU97490987/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-58116",
        "datePublished": "2025-09-17T03:08:40.791Z",
        "dateReserved": "2025-09-10T08:04:11.408Z",
        "dateUpdated": "2025-09-17T13:34:00.567Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-55075 (GCVE-0-2025-55075)

    Vulnerability from cvelistv5 – Published: 2025-09-17 03:08 – Updated: 2025-09-17 13:38
    VLAI
    Summary
    Hidden functionality issue exists in WN-7D36QR and WN-7D36QR/UE. If this vulnerability is exploited, SSH may be enabled by a remote authenticated attacker.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    I-O DATA DEVICE, INC. WN-7D36QR Affected: firmware Ver.1.1.3 and prior versions
    Create a notification for this product.
    I-O DATA DEVICE, INC. WN-7D36QR/UE Affected: firmware Ver.1.1.3 and prior versions
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55075",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-17T13:37:37.096884Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-17T13:38:05.944Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "WN-7D36QR",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.1.1.3 and prior versions"
                }
              ]
            },
            {
              "product": "WN-7D36QR/UE",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.1.1.3 and prior versions"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hidden functionality issue exists in WN-7D36QR and WN-7D36QR/UE. If this vulnerability is exploited, SSH may be enabled by a remote authenticated attacker."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-912",
                  "description": "Hidden functionality",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-17T03:08:37.275Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.iodata.jp/support/information/2025/09_wn-7d36qr/index.htm"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU97490987/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-55075",
        "datePublished": "2025-09-17T03:08:37.275Z",
        "dateReserved": "2025-09-10T08:04:14.006Z",
        "dateUpdated": "2025-09-17T13:38:05.944Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-32738 (GCVE-0-2025-32738)

    Vulnerability from cvelistv5 – Published: 2025-05-15 08:48 – Updated: 2025-05-15 13:59
    VLAI
    Summary
    Missing authentication for critical function issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier. If exploited, a remote unauthenticated attacker may change the product settings.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing authentication for critical function
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-32738",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-15T13:49:48.202499Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-15T13:59:02.855Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "HDL-TC1",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-TC500",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-T1NV",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-T1WH",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-T2NV",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-T2WH",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-T3NV",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-T3WH",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Missing authentication for critical function issue exists in I-O DATA network attached hard disk \u0027HDL-T Series\u0027 firmware Ver.1.21 and earlier. If exploited, a remote unauthenticated attacker may change the product settings."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "Missing authentication for critical function",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-15T08:48:19.734Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.iodata.jp/support/information/2025/05_hdl-t/"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU91726405/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-32738",
        "datePublished": "2025-05-15T08:48:19.734Z",
        "dateReserved": "2025-04-15T08:43:36.600Z",
        "dateUpdated": "2025-05-15T13:59:02.855Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-32002 (GCVE-0-2025-32002)

    Vulnerability from cvelistv5 – Published: 2025-05-15 08:48 – Updated: 2025-05-15 14:00
    VLAI
    Summary
    Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier when 'Remote Link3 function' is enabled. If exploited, a remote unauthenticated attacker may execute an arbitrary OS command.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-32002",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-15T13:59:55.448041Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-15T14:00:55.838Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "HDL-TC1",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-TC500",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-T1NV",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-T1WH",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-T2NV",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-T2WH",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-T3NV",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            },
            {
              "product": "HDL-T3WH",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.1.21 and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) issue exists in I-O DATA network attached hard disk \u0027HDL-T Series\u0027 firmware Ver.1.21 and earlier when \u0027Remote Link3 function\u0027 is enabled. If exploited, a remote unauthenticated attacker may execute an arbitrary OS command."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-15T08:48:12.065Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.iodata.jp/support/information/2025/05_hdl-t/"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU91726405/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-32002",
        "datePublished": "2025-05-15T08:48:12.065Z",
        "dateReserved": "2025-04-15T08:43:39.460Z",
        "dateUpdated": "2025-05-15T14:00:55.838Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-26856 (GCVE-0-2025-26856)

    Vulnerability from cvelistv5 – Published: 2025-02-20 05:49 – Updated: 2025-02-20 16:15
    VLAI
    Summary
    Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If an attacker logs in to the affected product with an administrative account and manipulates requests for a certain screen operation, an arbitrary OS command may be executed. This vulnerability was reported on a different screen operation from CVE-2025-20617.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    I-O DATA DEVICE, INC. UD-LT2 Affected: firmware Ver.1.00.008_SE and earlier
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-26856",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-20T16:15:09.554134Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-20T16:15:20.874Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "UD-LT2",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.1.00.008_SE and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If an attacker logs in to the affected product with an administrative account and manipulates requests for a certain screen operation, an arbitrary OS command may be executed. This vulnerability was reported on a different screen operation from CVE-2025-20617."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-20T05:49:49.402Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.iodata.jp/support/information/2025/01_ud-lt2/"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN15293958/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-26856",
        "datePublished": "2025-02-20T05:49:49.402Z",
        "dateReserved": "2025-02-17T00:29:49.508Z",
        "dateUpdated": "2025-02-20T16:15:20.874Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-23237 (GCVE-0-2025-23237)

    Vulnerability from cvelistv5 – Published: 2025-01-22 05:50 – Updated: 2025-02-12 20:41
    VLAI
    Summary
    Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If a user logs in to CLI of the affected product, an arbitrary OS command may be executed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    I-O DATA DEVICE, INC. UD-LT2 Affected: firmware Ver.1.00.008_SE and earlier
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-23237",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-22T14:33:28.348307Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:22.887Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "UD-LT2",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.1.00.008_SE and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If a user logs in to CLI of the affected product, an arbitrary OS command may be executed."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 6.6,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-22T05:50:14.930Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.iodata.jp/support/information/2025/01_ud-lt2/"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN15293958/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-23237",
        "datePublished": "2025-01-22T05:50:14.930Z",
        "dateReserved": "2025-01-16T07:05:52.884Z",
        "dateUpdated": "2025-02-12T20:41:22.887Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-22450 (GCVE-0-2025-22450)

    Vulnerability from cvelistv5 – Published: 2025-01-22 05:49 – Updated: 2025-02-12 20:41
    VLAI
    Summary
    Inclusion of undocumented features issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. A remote attacker may disable the LAN-side firewall function of the affected products, and open specific ports.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1242 - Inclusion of undocumented features or chicken bits
    Assigner
    Impacted products
    Vendor Product Version
    I-O DATA DEVICE, INC. UD-LT2 Affected: firmware Ver.1.00.008_SE and earlier
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22450",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-22T14:33:09.160199Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:22.761Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "UD-LT2",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.1.00.008_SE and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Inclusion of undocumented features issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. A remote attacker may disable the LAN-side firewall function of the affected products, and open specific ports."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1242",
                  "description": "Inclusion of undocumented features or chicken bits",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-22T05:49:13.793Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.iodata.jp/support/information/2025/01_ud-lt2/"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN15293958/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-22450",
        "datePublished": "2025-01-22T05:49:13.793Z",
        "dateReserved": "2025-01-16T07:05:53.738Z",
        "dateUpdated": "2025-02-12T20:41:22.761Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-20617 (GCVE-0-2025-20617)

    Vulnerability from cvelistv5 – Published: 2025-01-22 05:48 – Updated: 2025-02-20 05:51
    VLAI
    Summary
    Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If an attacker logs in to the affected product with an administrative account and manipulates requests for a certain screen operation, an arbitrary OS command may be executed. This vulnerability was reported on a different screen operation from CVE-2025-26856.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    I-O DATA DEVICE, INC. UD-LT2 Affected: firmware Ver.1.00.008_SE and earlier
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-20617",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-22T14:32:52.824972Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:22.567Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "UD-LT2",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.1.00.008_SE and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If an attacker logs in to the affected product with an administrative account and manipulates requests for a certain screen operation, an arbitrary OS command may be executed. This vulnerability was reported on a different screen operation from CVE-2025-26856."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-20T05:51:16.359Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.iodata.jp/support/information/2025/01_ud-lt2/"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN15293958/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-20617",
        "datePublished": "2025-01-22T05:48:18.973Z",
        "dateReserved": "2025-01-16T07:05:54.779Z",
        "dateUpdated": "2025-02-20T05:51:16.359Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-52564 (GCVE-0-2024-52564)

    Vulnerability from cvelistv5 – Published: 2024-12-05 09:41 – Updated: 2025-01-29 04:55
    VLAI
    Summary
    Inclusion of undocumented features or chicken bits issue exists in UD-LT1 firmware Ver.2.1.8 and earlier and UD-LT1/EX firmware Ver.2.1.8 and earlier. A remote attacker may disable the firewall function of the affected products. As a result, an arbitrary OS command may be executed and/or configuration settings of the device may be altered.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1242 - Inclusion of undocumented features or chicken bits
    Assigner
    Impacted products
    Vendor Product Version
    I-O DATA DEVICE, INC. UD-LT1 Affected: firmware Ver.2.1.8 and earlier
    Create a notification for this product.
    I-O DATA DEVICE, INC. UD-LT1/EX Affected: firmware Ver.2.1.8 and earlier
    Create a notification for this product.
    iodata ud-lt1_firmware Affected: 0 , ≤ 2.1.8 (custom)
        cpe:2.3:o:iodata:ud-lt1_firmware:*:*:*:*:*:*:*:*
    Create a notification for this product.
    iodata ud-lt1\/ex_firmware Affected: 0 , ≤ 2.1.8 (custom)
        cpe:2.3:o:iodata:ud-lt1\/ex_firmware:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:o:iodata:ud-lt1_firmware:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ud-lt1_firmware",
                "vendor": "iodata",
                "versions": [
                  {
                    "lessThanOrEqual": "2.1.8",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:o:iodata:ud-lt1\\/ex_firmware:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ud-lt1\\/ex_firmware",
                "vendor": "iodata",
                "versions": [
                  {
                    "lessThanOrEqual": "2.1.8",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-52564",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-06T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-29T04:55:28.107Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "UD-LT1",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.2.1.8 and earlier"
                }
              ]
            },
            {
              "product": "UD-LT1/EX",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.2.1.8 and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Inclusion of undocumented features or chicken bits issue exists in UD-LT1 firmware Ver.2.1.8 and earlier and UD-LT1/EX firmware Ver.2.1.8 and earlier. A remote attacker may disable the firewall function of the affected products. As a result, an arbitrary OS command may be executed and/or configuration settings of the device may be altered."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1242",
                  "description": "Inclusion of undocumented features or chicken bits",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-05T09:41:39.909Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.iodata.jp/support/information/2024/11_ud-lt1/"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN46615026/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-52564",
        "datePublished": "2024-12-05T09:41:39.909Z",
        "dateReserved": "2024-11-14T01:18:51.324Z",
        "dateUpdated": "2025-01-29T04:55:28.107Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-47133 (GCVE-0-2024-47133)

    Vulnerability from cvelistv5 – Published: 2024-12-05 09:40 – Updated: 2024-12-18 06:33
    VLAI
    Summary
    UD-LT1 firmware Ver.2.1.9 and earlier and UD-LT1/EX firmware Ver.2.1.9 and earlier allow a remote authenticated attacker with an administrative account to execute arbitrary OS commands.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    I-O DATA DEVICE, INC. UD-LT1 Affected: firmware Ver.2.1.9 and earlier
    Create a notification for this product.
    I-O DATA DEVICE, INC. UD-LT1/EX Affected: firmware Ver.2.1.9 and earlier
    Create a notification for this product.
    iodata ud-lt1_firmware Affected: 0 , ≤ 2.1.8 (custom)
        cpe:2.3:o:iodata:ud-lt1_firmware:*:*:*:*:*:*:*:*
    Create a notification for this product.
    iodata ud-lt1\/ex_firmware Affected: 0 , ≤ 2.1.8 (custom)
        cpe:2.3:o:iodata:ud-lt1\/ex_firmware:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:o:iodata:ud-lt1_firmware:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ud-lt1_firmware",
                "vendor": "iodata",
                "versions": [
                  {
                    "lessThanOrEqual": "2.1.8",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:o:iodata:ud-lt1\\/ex_firmware:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ud-lt1\\/ex_firmware",
                "vendor": "iodata",
                "versions": [
                  {
                    "lessThanOrEqual": "2.1.8",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-47133",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-05T18:44:10.055478Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-05T18:50:28.298Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "UD-LT1",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.2.1.9 and earlier"
                }
              ]
            },
            {
              "product": "UD-LT1/EX",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.2.1.9 and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "UD-LT1 firmware Ver.2.1.9 and earlier and UD-LT1/EX firmware Ver.2.1.9 and earlier allow a remote authenticated attacker with an administrative account to execute arbitrary OS commands."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-18T06:33:27.182Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.iodata.jp/support/information/2024/11_ud-lt1/"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN46615026/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-47133",
        "datePublished": "2024-12-05T09:40:48.474Z",
        "dateReserved": "2024-11-22T00:54:46.024Z",
        "dateUpdated": "2024-12-18T06:33:27.182Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-45841 (GCVE-0-2024-45841)

    Vulnerability from cvelistv5 – Published: 2024-12-05 09:39 – Updated: 2024-12-18 06:32
    VLAI
    Summary
    Incorrect permission assignment for critical resource issue exists in UD-LT1 firmware Ver.2.1.9 and earlier and UD-LT1/EX firmware Ver.2.1.9 and earlier. If an attacker with the guest account of the affected products accesses a specific file, the information containing credentials may be obtained.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-732 - Incorrect permission assignment for critical resource
    Assigner
    Impacted products
    Vendor Product Version
    I-O DATA DEVICE, INC. UD-LT1 Affected: firmware Ver.2.1.9 and earlier
    Create a notification for this product.
    I-O DATA DEVICE, INC. UD-LT1/EX Affected: firmware Ver.2.1.9 and earlier
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-45841",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-05T11:04:58.403624Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-05T11:13:24.038Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "UD-LT1",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.2.1.9 and earlier"
                }
              ]
            },
            {
              "product": "UD-LT1/EX",
              "vendor": "I-O DATA DEVICE, INC.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware Ver.2.1.9 and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Incorrect permission assignment for critical resource issue exists in UD-LT1 firmware Ver.2.1.9 and earlier and UD-LT1/EX firmware Ver.2.1.9 and earlier. If an attacker with the guest account of the affected products accesses a specific file, the information containing credentials may be obtained."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-732",
                  "description": "Incorrect permission assignment for critical resource",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-18T06:32:37.504Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.iodata.jp/support/information/2024/11_ud-lt1/"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN46615026/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-45841",
        "datePublished": "2024-12-05T09:39:36.181Z",
        "dateReserved": "2024-11-22T00:54:44.862Z",
        "dateUpdated": "2024-12-18T06:32:37.504Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    JVNDB-2025-000091

    Vulnerability from jvndb - Published: 2025-10-22 15:04 - Updated:2025-12-10 16:20
    Severity
    Summary
    Multiple I-O DATA NAS management applications register Windows services with unquoted file paths
    Details
    Multiple NAS management applications provided by I-O DATA DEVICE, INC. register Windows services with unquoted file paths. Multiple NAS management applications provided by I-O DATA DEVICE, INC. contain the following vulnerability.
    • Unquoted search path or element (CWE-428) - CVE-2025-61865
    Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000091.html",
      "dc:date": "2025-12-10T16:20+09:00",
      "dcterms:issued": "2025-10-22T15:04+09:00",
      "dcterms:modified": "2025-12-10T16:20+09:00",
      "description": "Multiple NAS management applications provided by I-O DATA DEVICE, INC. register Windows services with unquoted file paths.\r\nMultiple NAS management applications provided by I-O DATA DEVICE, INC. contain the following vulnerability.\r\n\u003cul\u003e\u003cli\u003eUnquoted search path or element (CWE-428) - CVE-2025-61865\u003c/li\u003e\u003c/ul\u003e\r\nKazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000091.html",
      "sec:cpe": [
        {
          "#text": "cpe:/a:i-o_data_device:clone_for_windows",
          "@product": "Clone for Windows",
          "@vendor": "I-O DATA DEVICE, INC.",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/a:i-o_data_device:narsus_app",
          "@product": "NarSuS app",
          "@vendor": "I-O DATA DEVICE, INC.",
          "@version": "2.2"
        }
      ],
      "sec:cvss": {
        "@score": "6.7",
        "@severity": "Medium",
        "@type": "Base",
        "@vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
        "@version": "3.0"
      },
      "sec:identifier": "JVNDB-2025-000091",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/jp/JVN03295012/index.html",
          "@id": "JVN#03295012",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2025-61865",
          "@id": "CVE-2025-61865",
          "@source": "CVE"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-Other",
          "@title": "No Mapping(CWE-Other)"
        }
      ],
      "title": "Multiple I-O DATA NAS management applications register Windows services with unquoted file paths"
    }

    JVNDB-2025-014104

    Vulnerability from jvndb - Published: 2025-09-19 14:58 - Updated:2025-09-19 14:58
    Severity
    Summary
    Multiple vulnerabilities in I-O DATA wireless LAN routers
    Details
    Wireless LAN routers provided by I-O DATA DEVICE, INC. contains multiple vulnerabilities listed below. * Hidden functionality (CWE-912) - CVE-2025-55075 * OS command injection (CWE-78) - CVE-2025-58116 Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC. JPCERT/CC coordinated with the developer.
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-014104.html",
      "dc:date": "2025-09-19T14:58+09:00",
      "dcterms:issued": "2025-09-19T14:58+09:00",
      "dcterms:modified": "2025-09-19T14:58+09:00",
      "description": "Wireless LAN routers provided by I-O DATA DEVICE, INC. contains multiple vulnerabilities listed below.\r\n\r\n* Hidden functionality (CWE-912) - CVE-2025-55075\r\n* OS command injection (CWE-78) - CVE-2025-58116\r\n\r\nChuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC.\r\nJPCERT/CC coordinated with the developer.",
      "link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-014104.html",
      "sec:cpe": [
        {
          "#text": "cpe:/o:i-o_data_device:wn-7d36qr%2fue_firmware",
          "@product": "WN-7D36QR/UE firmware",
          "@vendor": "I-O DATA DEVICE, INC.",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/o:i-o_data_device:wn-7d36qr_firmware",
          "@product": "WN-7D36QR firmware",
          "@vendor": "I-O DATA DEVICE, INC.",
          "@version": "2.2"
        }
      ],
      "sec:cvss": {
        "@score": "7.2",
        "@severity": "High",
        "@type": "Base",
        "@vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
        "@version": "3.0"
      },
      "sec:identifier": "JVNDB-2025-014104",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/vu/JVNVU97490987/index.html",
          "@id": "JVNVU#97490987",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2025-55075",
          "@id": "CVE-2025-55075",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2025-58116",
          "@id": "CVE-2025-58116",
          "@source": "CVE"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-78",
          "@title": "OS Command Injection(CWE-78)"
        },
        {
          "#text": "https://cwe.mitre.org/data/definitions/912.html",
          "@id": "CWE-912",
          "@title": "Hidden Functionality(CWE-912)"
        }
      ],
      "title": "Multiple vulnerabilities in I-O DATA wireless LAN routers"
    }

    JVNDB-2025-005057

    Vulnerability from jvndb - Published: 2025-05-15 18:27 - Updated:2025-05-15 18:27
    Severity
    Summary
    Multiple vulnerabilities in I-O DATA network attached hard disk 'HDL-T Series'
    Details
    Network attached hard disk 'HDL-T Series' provided by I-O DATA DEVICE, INC. contains multiple vulnerabilities.
    • OS command injection (CWE-78)
      • Affected when 'Remote Link3 function' is enabled
      • CVE-2025-32002
    • Missing authentication for critical function (CWE-306)
      • CVE-2025-32738
    Chuya Hayakawa and Ryo Kamino of 00One, Inc. reported these vulnerabilities to JPCERT/CC. JPCERT/CC coordinated with the developer.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-005057.html",
      "dc:date": "2025-05-15T18:27+09:00",
      "dcterms:issued": "2025-05-15T18:27+09:00",
      "dcterms:modified": "2025-05-15T18:27+09:00",
      "description": "Network attached hard disk \u0027HDL-T Series\u0027 provided by I-O DATA DEVICE, INC. contains multiple vulnerabilities.\r\n\r\n\u003cul\u003e\r\n\u003cli\u003eOS command injection (CWE-78)\u003c/li\u003e\r\n\u003cul\u003e\r\n\u003cli\u003eAffected when \u0027Remote Link3 function\u0027 is enabled\u003c/li\u003e\r\n\u003cli\u003eCVE-2025-32002\u003c/li\u003e\r\n\u003c/ul\u003e\r\n\r\n\u003cli\u003eMissing authentication for critical function (CWE-306)\u003c/li\u003e\r\n\u003cul\u003e\u003cli\u003eCVE-2025-32738\u003c/li\u003e\u003c/ul\u003e\r\n\u003c/ul\u003e\r\n\r\nChuya Hayakawa and Ryo Kamino of 00One, Inc. reported these vulnerabilities to JPCERT/CC.\r\nJPCERT/CC coordinated with the developer.",
      "link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-005057.html",
      "sec:cpe": {
        "#text": "cpe:/h:i-o_data_device:hdl-t",
        "@product": "HDL-T Series",
        "@vendor": "I-O DATA DEVICE, INC.",
        "@version": "2.2"
      },
      "sec:cvss": {
        "@score": "9.8",
        "@severity": "Critical",
        "@type": "Base",
        "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "@version": "3.0"
      },
      "sec:identifier": "JVNDB-2025-005057",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/vu/JVNVU91726405/index.html",
          "@id": "JVNVU#91726405",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2025-32002",
          "@id": "CVE-2025-32002",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2025-32738",
          "@id": "CVE-2025-32738",
          "@source": "CVE"
        },
        {
          "#text": "https://cwe.mitre.org/data/definitions/306.html",
          "@id": "CWE-306",
          "@title": "Missing Authentication for Critical Function(CWE-306)"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-78",
          "@title": "OS Command Injection(CWE-78)"
        }
      ],
      "title": "Multiple vulnerabilities in I-O DATA network attached hard disk \u0027HDL-T Series\u0027"
    }

    JVNDB-2025-000004

    Vulnerability from jvndb - Published: 2025-01-22 13:55 - Updated:2025-02-20 15:55
    Severity
    Summary
    Multiple vulnerabilities in I-O DATA router UD-LT2
    Details
    UD-LT2 provided by I-O DATA DEVICE, INC. contains multiple vulnerabilities listed below.
    • OS Command Injection (CWE-78) - CVE-2025-20617, CVE-2025-26856
    • Inclusion of Undocumented Features (CWE-1242) - CVE-2025-22450
    • OS Command Injection (CWE-78) - CVE-2025-23237
    CVE-2025-20617, CVE-2025-22450, CVE-2025-23237 Takeshi Kuramori, Kaori Takashima, and Kohei Masumi of National Institute of Information and Communications Technology, Cybersecurity Research Institute reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2025-26856 Masashi Shiraishi of Mitsui Bussan Secure Directions, Inc. reported this vulnerability IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000004.html",
      "dc:date": "2025-02-20T15:55+09:00",
      "dcterms:issued": "2025-01-22T13:55+09:00",
      "dcterms:modified": "2025-02-20T15:55+09:00",
      "description": "UD-LT2 provided by I-O DATA DEVICE, INC. contains multiple vulnerabilities listed below.\u003cul\u003e\u003cli\u003eOS Command Injection (CWE-78) - CVE-2025-20617, CVE-2025-26856\u003c/li\u003e\u003cli\u003eInclusion of Undocumented Features (CWE-1242) - CVE-2025-22450\u003c/li\u003e\u003cli\u003eOS Command Injection (CWE-78) - CVE-2025-23237\u003c/li\u003e\u003c/ul\u003e\r\n\r\nCVE-2025-20617, CVE-2025-22450, CVE-2025-23237\r\nTakeshi Kuramori, Kaori Takashima, and Kohei Masumi of National Institute of Information and Communications Technology, Cybersecurity Research Institute reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2025-26856\r\nMasashi Shiraishi of Mitsui Bussan Secure Directions, Inc. reported this vulnerability IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000004.html",
      "sec:cpe": {
        "#text": "cpe:/o:i-o_data_device:ud-lt2_firmware",
        "@product": "UD-LT2 firmware",
        "@vendor": "I-O DATA DEVICE, INC.",
        "@version": "2.2"
      },
      "sec:cvss": {
        "@score": "7.5",
        "@severity": "High",
        "@type": "Base",
        "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
        "@version": "3.0"
      },
      "sec:identifier": "JVNDB-2025-000004",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/jp/JVN15293958/index.html",
          "@id": "JVN#15293958",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2025-20617",
          "@id": "CVE-2025-20617",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2025-22450",
          "@id": "CVE-2025-22450",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2025-23237",
          "@id": "CVE-2025-23237",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2025-26856",
          "@id": "CVE-2025-26856",
          "@source": "CVE"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-78",
          "@title": "OS Command Injection(CWE-78)"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-Other",
          "@title": "No Mapping(CWE-Other)"
        }
      ],
      "title": "Multiple vulnerabilities in I-O DATA router UD-LT2"
    }

    JVNDB-2024-000125

    Vulnerability from jvndb - Published: 2024-12-04 15:22 - Updated:2024-12-18 15:20
    Severity
    Summary
    Multiple vulnerabilities in I-O DATA routers UD-LT1 and UD-LT1/EX
    Details
    UD-LT1 and UD-LT1/EX provided by I-O DATA DEVICE, INC. contain multiple vulnerabilities listed below.
    • Incorrect Permission Assignment for Critical Resource (CWE-732) - CVE-2024-45841
    • OS Command Injection (CWE-78) - CVE-2024-47133
    • Inclusion of Undocumented Features (CWE-1242) - CVE-2024-52564
    The developer states that attacks exploiting these vulnerabilities have been observed. CVE-2024-45841, CVE-2024-47133 Takeshi Kuramori, Kaori Takashima, and Kohei Masumi of National Institute of Information and Communications Technology, Cybersecurity Research Institute reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2024-52564 Chuya Hayakawa and Ryo Kamino of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer.
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000125.html",
      "dc:date": "2024-12-18T15:20+09:00",
      "dcterms:issued": "2024-12-04T15:22+09:00",
      "dcterms:modified": "2024-12-18T15:20+09:00",
      "description": "UD-LT1 and UD-LT1/EX provided by I-O DATA DEVICE, INC. contain multiple vulnerabilities listed below.\r\n\u003cul\u003e\u003cli\u003eIncorrect Permission Assignment for Critical Resource (CWE-732) - CVE-2024-45841\u003c/li\u003e\u003cli\u003eOS Command Injection (CWE-78) - CVE-2024-47133\u003c/li\u003e\u003cli\u003eInclusion of Undocumented Features (CWE-1242) - CVE-2024-52564\u003c/li\u003e\u003c/ul\u003e\r\nThe developer states that attacks exploiting these vulnerabilities have been observed.\r\n\r\nCVE-2024-45841, CVE-2024-47133\r\nTakeshi Kuramori, Kaori Takashima, and Kohei Masumi of National Institute of Information and Communications Technology, Cybersecurity Research Institute reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2024-52564\r\nChuya Hayakawa and Ryo Kamino of 00One, Inc. reported this vulnerability to JPCERT/CC.\r\nJPCERT/CC coordinated with the developer.",
      "link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000125.html",
      "sec:cpe": [
        {
          "#text": "cpe:/o:i-o_data_device:ud-lt1_ex_firmware",
          "@product": "UD-LT1/EX firmware",
          "@vendor": "I-O DATA DEVICE, INC.",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/o:i-o_data_device:ud-lt1_firmware",
          "@product": "UD-LT1 firmware",
          "@vendor": "I-O DATA DEVICE, INC.",
          "@version": "2.2"
        }
      ],
      "sec:cvss": {
        "@score": "7.5",
        "@severity": "High",
        "@type": "Base",
        "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
        "@version": "3.0"
      },
      "sec:identifier": "JVNDB-2024-000125",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/jp/JVN46615026/index.html",
          "@id": "JVN#46615026",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2024-45841",
          "@id": "CVE-2024-45841",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2024-47133",
          "@id": "CVE-2024-47133",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2024-52564",
          "@id": "CVE-2024-52564",
          "@source": "CVE"
        },
        {
          "#text": "https://www.ipa.go.jp/security/security-alert/2024/20241204-jvn.html",
          "@id": "Security Alert for Vulnerability in I-O DATA routers UD-LT1 and UD-LT1/EX (JVN#46615026)",
          "@source": "IPA SECURITY ALERTS"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-78",
          "@title": "OS Command Injection(CWE-78)"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-Other",
          "@title": "No Mapping(CWE-Other)"
        }
      ],
      "title": "Multiple vulnerabilities in I-O DATA routers UD-LT1 and UD-LT1/EX"
    }