Search
Find a vulnerability
Search criteria
101 vulnerabilities by I-O DATA DEVICE, INC.
CVE-2025-61865 (GCVE-0-2025-61865)
Vulnerability from nvd – Published: 2025-10-23 04:14 – Updated: 2025-12-10 06:36
VLAI
EPSS
VEX
Summary
Multiple NAS management applications provided by I-O DATA DEVICE, INC. register Windows services with unquoted file paths. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-428 - Unquoted search path or element
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| I-O DATA DEVICE, INC. | NarSuS App |
Affected:
prior to Ver.2.33
|
|
| I-O DATA DEVICE, INC. | Clone for Windows |
Affected:
prior to Ver2.36
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61865",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-23T15:00:13.400065Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-23T15:00:29.366Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "NarSuS App",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.33"
}
]
},
{
"product": "Clone for Windows",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "prior to Ver2.36"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple NAS management applications provided by I-O DATA DEVICE, INC. register Windows services with unquoted file paths. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-428",
"description": "Unquoted search path or element",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T06:36:23.383Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.iodata.jp/support/information/2025/10_NarSuS_App/"
},
{
"url": "https://www.iodata.jp/support/information/2025/12_CloneforWindows/"
},
{
"url": "https://jvn.jp/en/jp/JVN03295012/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-61865",
"datePublished": "2025-10-23T04:14:50.057Z",
"dateReserved": "2025-10-02T07:57:52.217Z",
"dateUpdated": "2025-12-10T06:36:23.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58116 (GCVE-0-2025-58116)
Vulnerability from nvd – Published: 2025-09-17 03:08 – Updated: 2025-09-17 13:34
VLAI
EPSS
VEX
Summary
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in WN-7D36QR and WN-7D36QR/UE. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote authenticated attacker.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| I-O DATA DEVICE, INC. | WN-7D36QR |
Affected:
firmware Ver.1.1.3 and prior versions
|
|
| I-O DATA DEVICE, INC. | WN-7D36QR/UE |
Affected:
firmware Ver.1.1.3 and prior versions
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58116",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T13:33:50.768851Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T13:34:00.567Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WN-7D36QR",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.1.1.3 and prior versions"
}
]
},
{
"product": "WN-7D36QR/UE",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.1.1.3 and prior versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) issue exists in WN-7D36QR and WN-7D36QR/UE. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote authenticated attacker."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T03:08:40.791Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.iodata.jp/support/information/2025/09_wn-7d36qr/index.htm"
},
{
"url": "https://jvn.jp/en/vu/JVNVU97490987/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-58116",
"datePublished": "2025-09-17T03:08:40.791Z",
"dateReserved": "2025-09-10T08:04:11.408Z",
"dateUpdated": "2025-09-17T13:34:00.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-55075 (GCVE-0-2025-55075)
Vulnerability from nvd – Published: 2025-09-17 03:08 – Updated: 2025-09-17 13:38
VLAI
EPSS
VEX
Summary
Hidden functionality issue exists in WN-7D36QR and WN-7D36QR/UE. If this vulnerability is exploited, SSH may be enabled by a remote authenticated attacker.
Severity
4.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-912 - Hidden functionality
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| I-O DATA DEVICE, INC. | WN-7D36QR |
Affected:
firmware Ver.1.1.3 and prior versions
|
|
| I-O DATA DEVICE, INC. | WN-7D36QR/UE |
Affected:
firmware Ver.1.1.3 and prior versions
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55075",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T13:37:37.096884Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T13:38:05.944Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WN-7D36QR",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.1.1.3 and prior versions"
}
]
},
{
"product": "WN-7D36QR/UE",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.1.1.3 and prior versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hidden functionality issue exists in WN-7D36QR and WN-7D36QR/UE. If this vulnerability is exploited, SSH may be enabled by a remote authenticated attacker."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-912",
"description": "Hidden functionality",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T03:08:37.275Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.iodata.jp/support/information/2025/09_wn-7d36qr/index.htm"
},
{
"url": "https://jvn.jp/en/vu/JVNVU97490987/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-55075",
"datePublished": "2025-09-17T03:08:37.275Z",
"dateReserved": "2025-09-10T08:04:14.006Z",
"dateUpdated": "2025-09-17T13:38:05.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32738 (GCVE-0-2025-32738)
Vulnerability from nvd – Published: 2025-05-15 08:48 – Updated: 2025-05-15 13:59
VLAI
EPSS
VEX
Summary
Missing authentication for critical function issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier. If exploited, a remote unauthenticated attacker may change the product settings.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing authentication for critical function
Assigner
References
2 references
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
| I-O DATA DEVICE, INC. | HDL-TC1 |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-TC500 |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-T1NV |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-T1WH |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-T2NV |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-T2WH |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-T3NV |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-T3WH |
Affected:
Ver.1.21 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32738",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T13:49:48.202499Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T13:59:02.855Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "HDL-TC1",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-TC500",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-T1NV",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-T1WH",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-T2NV",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-T2WH",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-T3NV",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-T3WH",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Missing authentication for critical function issue exists in I-O DATA network attached hard disk \u0027HDL-T Series\u0027 firmware Ver.1.21 and earlier. If exploited, a remote unauthenticated attacker may change the product settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "Missing authentication for critical function",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T08:48:19.734Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.iodata.jp/support/information/2025/05_hdl-t/"
},
{
"url": "https://jvn.jp/en/vu/JVNVU91726405/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-32738",
"datePublished": "2025-05-15T08:48:19.734Z",
"dateReserved": "2025-04-15T08:43:36.600Z",
"dateUpdated": "2025-05-15T13:59:02.855Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32002 (GCVE-0-2025-32002)
Vulnerability from nvd – Published: 2025-05-15 08:48 – Updated: 2025-05-15 14:00
VLAI
EPSS
VEX
Summary
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier when 'Remote Link3 function' is enabled. If exploited, a remote unauthenticated attacker may execute an arbitrary OS command.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
Assigner
References
2 references
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
| I-O DATA DEVICE, INC. | HDL-TC1 |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-TC500 |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-T1NV |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-T1WH |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-T2NV |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-T2WH |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-T3NV |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-T3WH |
Affected:
Ver.1.21 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32002",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T13:59:55.448041Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T14:00:55.838Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "HDL-TC1",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-TC500",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-T1NV",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-T1WH",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-T2NV",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-T2WH",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-T3NV",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-T3WH",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) issue exists in I-O DATA network attached hard disk \u0027HDL-T Series\u0027 firmware Ver.1.21 and earlier when \u0027Remote Link3 function\u0027 is enabled. If exploited, a remote unauthenticated attacker may execute an arbitrary OS command."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T08:48:12.065Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.iodata.jp/support/information/2025/05_hdl-t/"
},
{
"url": "https://jvn.jp/en/vu/JVNVU91726405/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-32002",
"datePublished": "2025-05-15T08:48:12.065Z",
"dateReserved": "2025-04-15T08:43:39.460Z",
"dateUpdated": "2025-05-15T14:00:55.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26856 (GCVE-0-2025-26856)
Vulnerability from nvd – Published: 2025-02-20 05:49 – Updated: 2025-02-20 16:15
VLAI
EPSS
VEX
Summary
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If an attacker logs in to the affected product with an administrative account and manipulates requests for a certain screen operation, an arbitrary OS command may be executed. This vulnerability was reported on a different screen operation from CVE-2025-20617.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| I-O DATA DEVICE, INC. | UD-LT2 |
Affected:
firmware Ver.1.00.008_SE and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26856",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T16:15:09.554134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T16:15:20.874Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "UD-LT2",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.1.00.008_SE and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If an attacker logs in to the affected product with an administrative account and manipulates requests for a certain screen operation, an arbitrary OS command may be executed. This vulnerability was reported on a different screen operation from CVE-2025-20617."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T05:49:49.402Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.iodata.jp/support/information/2025/01_ud-lt2/"
},
{
"url": "https://jvn.jp/en/jp/JVN15293958/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-26856",
"datePublished": "2025-02-20T05:49:49.402Z",
"dateReserved": "2025-02-17T00:29:49.508Z",
"dateUpdated": "2025-02-20T16:15:20.874Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-23237 (GCVE-0-2025-23237)
Vulnerability from nvd – Published: 2025-01-22 05:50 – Updated: 2025-02-12 20:41
VLAI
EPSS
VEX
Summary
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If a user logs in to CLI of the affected product, an arbitrary OS command may be executed.
Severity
6.6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| I-O DATA DEVICE, INC. | UD-LT2 |
Affected:
firmware Ver.1.00.008_SE and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23237",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-22T14:33:28.348307Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:22.887Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "UD-LT2",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.1.00.008_SE and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If a user logs in to CLI of the affected product, an arbitrary OS command may be executed."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-22T05:50:14.930Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.iodata.jp/support/information/2025/01_ud-lt2/"
},
{
"url": "https://jvn.jp/en/jp/JVN15293958/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-23237",
"datePublished": "2025-01-22T05:50:14.930Z",
"dateReserved": "2025-01-16T07:05:52.884Z",
"dateUpdated": "2025-02-12T20:41:22.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22450 (GCVE-0-2025-22450)
Vulnerability from nvd – Published: 2025-01-22 05:49 – Updated: 2025-02-12 20:41
VLAI
EPSS
VEX
Summary
Inclusion of undocumented features issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. A remote attacker may disable the LAN-side firewall function of the affected products, and open specific ports.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1242 - Inclusion of undocumented features or chicken bits
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| I-O DATA DEVICE, INC. | UD-LT2 |
Affected:
firmware Ver.1.00.008_SE and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22450",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-22T14:33:09.160199Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:22.761Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "UD-LT2",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.1.00.008_SE and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Inclusion of undocumented features issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. A remote attacker may disable the LAN-side firewall function of the affected products, and open specific ports."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1242",
"description": "Inclusion of undocumented features or chicken bits",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-22T05:49:13.793Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.iodata.jp/support/information/2025/01_ud-lt2/"
},
{
"url": "https://jvn.jp/en/jp/JVN15293958/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-22450",
"datePublished": "2025-01-22T05:49:13.793Z",
"dateReserved": "2025-01-16T07:05:53.738Z",
"dateUpdated": "2025-02-12T20:41:22.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-20617 (GCVE-0-2025-20617)
Vulnerability from nvd – Published: 2025-01-22 05:48 – Updated: 2025-02-20 05:51
VLAI
EPSS
VEX
Summary
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If an attacker logs in to the affected product with an administrative account and manipulates requests for a certain screen operation, an arbitrary OS command may be executed. This vulnerability was reported on a different screen operation from CVE-2025-26856.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| I-O DATA DEVICE, INC. | UD-LT2 |
Affected:
firmware Ver.1.00.008_SE and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20617",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-22T14:32:52.824972Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:22.567Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "UD-LT2",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.1.00.008_SE and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If an attacker logs in to the affected product with an administrative account and manipulates requests for a certain screen operation, an arbitrary OS command may be executed. This vulnerability was reported on a different screen operation from CVE-2025-26856."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T05:51:16.359Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.iodata.jp/support/information/2025/01_ud-lt2/"
},
{
"url": "https://jvn.jp/en/jp/JVN15293958/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-20617",
"datePublished": "2025-01-22T05:48:18.973Z",
"dateReserved": "2025-01-16T07:05:54.779Z",
"dateUpdated": "2025-02-20T05:51:16.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52564 (GCVE-0-2024-52564)
Vulnerability from nvd – Published: 2024-12-05 09:41 – Updated: 2025-01-29 04:55
VLAI
EPSS
VEX
Summary
Inclusion of undocumented features or chicken bits issue exists in UD-LT1 firmware Ver.2.1.8 and earlier and UD-LT1/EX firmware Ver.2.1.8 and earlier. A remote attacker may disable the firewall function of the affected products. As a result, an arbitrary OS command may be executed and/or configuration settings of the device may be altered.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1242 - Inclusion of undocumented features or chicken bits
Assigner
References
2 references
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| I-O DATA DEVICE, INC. | UD-LT1 |
Affected:
firmware Ver.2.1.8 and earlier
|
|
| I-O DATA DEVICE, INC. | UD-LT1/EX |
Affected:
firmware Ver.2.1.8 and earlier
|
|
| iodata | ud-lt1_firmware |
Affected:
0 , ≤ 2.1.8
(custom)
cpe:2.3:o:iodata:ud-lt1_firmware:*:*:*:*:*:*:*:* |
|
| iodata | ud-lt1\/ex_firmware |
Affected:
0 , ≤ 2.1.8
(custom)
cpe:2.3:o:iodata:ud-lt1\/ex_firmware:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:iodata:ud-lt1_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ud-lt1_firmware",
"vendor": "iodata",
"versions": [
{
"lessThanOrEqual": "2.1.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:iodata:ud-lt1\\/ex_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ud-lt1\\/ex_firmware",
"vendor": "iodata",
"versions": [
{
"lessThanOrEqual": "2.1.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52564",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-29T04:55:28.107Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "UD-LT1",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.2.1.8 and earlier"
}
]
},
{
"product": "UD-LT1/EX",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.2.1.8 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Inclusion of undocumented features or chicken bits issue exists in UD-LT1 firmware Ver.2.1.8 and earlier and UD-LT1/EX firmware Ver.2.1.8 and earlier. A remote attacker may disable the firewall function of the affected products. As a result, an arbitrary OS command may be executed and/or configuration settings of the device may be altered."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1242",
"description": "Inclusion of undocumented features or chicken bits",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T09:41:39.909Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.iodata.jp/support/information/2024/11_ud-lt1/"
},
{
"url": "https://jvn.jp/en/jp/JVN46615026/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-52564",
"datePublished": "2024-12-05T09:41:39.909Z",
"dateReserved": "2024-11-14T01:18:51.324Z",
"dateUpdated": "2025-01-29T04:55:28.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47133 (GCVE-0-2024-47133)
Vulnerability from nvd – Published: 2024-12-05 09:40 – Updated: 2024-12-18 06:33
VLAI
EPSS
VEX
Summary
UD-LT1 firmware Ver.2.1.9 and earlier and UD-LT1/EX firmware Ver.2.1.9 and earlier allow a remote authenticated attacker with an administrative account to execute arbitrary OS commands.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
Assigner
References
2 references
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| I-O DATA DEVICE, INC. | UD-LT1 |
Affected:
firmware Ver.2.1.9 and earlier
|
|
| I-O DATA DEVICE, INC. | UD-LT1/EX |
Affected:
firmware Ver.2.1.9 and earlier
|
|
| iodata | ud-lt1_firmware |
Affected:
0 , ≤ 2.1.8
(custom)
cpe:2.3:o:iodata:ud-lt1_firmware:*:*:*:*:*:*:*:* |
|
| iodata | ud-lt1\/ex_firmware |
Affected:
0 , ≤ 2.1.8
(custom)
cpe:2.3:o:iodata:ud-lt1\/ex_firmware:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:iodata:ud-lt1_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ud-lt1_firmware",
"vendor": "iodata",
"versions": [
{
"lessThanOrEqual": "2.1.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:iodata:ud-lt1\\/ex_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ud-lt1\\/ex_firmware",
"vendor": "iodata",
"versions": [
{
"lessThanOrEqual": "2.1.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47133",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-05T18:44:10.055478Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T18:50:28.298Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "UD-LT1",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.2.1.9 and earlier"
}
]
},
{
"product": "UD-LT1/EX",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.2.1.9 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "UD-LT1 firmware Ver.2.1.9 and earlier and UD-LT1/EX firmware Ver.2.1.9 and earlier allow a remote authenticated attacker with an administrative account to execute arbitrary OS commands."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-18T06:33:27.182Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.iodata.jp/support/information/2024/11_ud-lt1/"
},
{
"url": "https://jvn.jp/en/jp/JVN46615026/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-47133",
"datePublished": "2024-12-05T09:40:48.474Z",
"dateReserved": "2024-11-22T00:54:46.024Z",
"dateUpdated": "2024-12-18T06:33:27.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45841 (GCVE-0-2024-45841)
Vulnerability from nvd – Published: 2024-12-05 09:39 – Updated: 2024-12-18 06:32
VLAI
EPSS
VEX
Summary
Incorrect permission assignment for critical resource issue exists in UD-LT1 firmware Ver.2.1.9 and earlier and UD-LT1/EX firmware Ver.2.1.9 and earlier. If an attacker with the guest account of the affected products accesses a specific file, the information containing credentials may be obtained.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-732 - Incorrect permission assignment for critical resource
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| I-O DATA DEVICE, INC. | UD-LT1 |
Affected:
firmware Ver.2.1.9 and earlier
|
|
| I-O DATA DEVICE, INC. | UD-LT1/EX |
Affected:
firmware Ver.2.1.9 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45841",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-05T11:04:58.403624Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T11:13:24.038Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "UD-LT1",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.2.1.9 and earlier"
}
]
},
{
"product": "UD-LT1/EX",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.2.1.9 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect permission assignment for critical resource issue exists in UD-LT1 firmware Ver.2.1.9 and earlier and UD-LT1/EX firmware Ver.2.1.9 and earlier. If an attacker with the guest account of the affected products accesses a specific file, the information containing credentials may be obtained."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "Incorrect permission assignment for critical resource",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-18T06:32:37.504Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.iodata.jp/support/information/2024/11_ud-lt1/"
},
{
"url": "https://jvn.jp/en/jp/JVN46615026/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-45841",
"datePublished": "2024-12-05T09:39:36.181Z",
"dateReserved": "2024-11-22T00:54:44.862Z",
"dateUpdated": "2024-12-18T06:32:37.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-0663 (GCVE-0-2018-0663)
Vulnerability from nvd – Published: 2018-09-07 14:00 – Updated: 2024-08-05 03:35
VLAI
EPSS
VEX
Summary
Multiple I-O DATA network camera products (TS-WRLP firmware Ver.1.09.04 and earlier, TS-WRLA firmware Ver.1.09.04 and earlier, TS-WRLP/E firmware Ver.1.09.04 and earlier) use hardcoded credentials which may allow an remote authenticated attacker to execute arbitrary OS commands on the device via unspecified vector.
Severity
No CVSS data available.
CWE
- Use of Hard-coded Credentials
Assigner
References
2 references
| URL | Tags |
|---|---|
| http://www.iodata.jp/support/information/2018/ts-wrlp/ | x_refsource_CONFIRM |
| http://jvn.jp/en/jp/JVN83701666/index.html | third-party-advisoryx_refsource_JVN |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| I-O DATA DEVICE, INC. | Multiple I-O DATA network camera products |
Affected:
(TS-WRLP firmware Ver.1.09.04 and earlier, TS-WRLA firmware Ver.1.09.04 and earlier, TS-WRLP/E firmware Ver.1.09.04 and earlier)
|
Date Public
2018-08-07 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:35:49.100Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.iodata.jp/support/information/2018/ts-wrlp/"
},
{
"name": "JVN#83701666",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN83701666/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Multiple I-O DATA network camera products",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "(TS-WRLP firmware Ver.1.09.04 and earlier, TS-WRLA firmware Ver.1.09.04 and earlier, TS-WRLP/E firmware Ver.1.09.04 and earlier)"
}
]
}
],
"datePublic": "2018-08-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple I-O DATA network camera products (TS-WRLP firmware Ver.1.09.04 and earlier, TS-WRLA firmware Ver.1.09.04 and earlier, TS-WRLP/E firmware Ver.1.09.04 and earlier) use hardcoded credentials which may allow an remote authenticated attacker to execute arbitrary OS commands on the device via unspecified vector."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Use of Hard-coded Credentials",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-07T13:57:01.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.iodata.jp/support/information/2018/ts-wrlp/"
},
{
"name": "JVN#83701666",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN83701666/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2018-0663",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Multiple I-O DATA network camera products",
"version": {
"version_data": [
{
"version_value": "(TS-WRLP firmware Ver.1.09.04 and earlier, TS-WRLA firmware Ver.1.09.04 and earlier, TS-WRLP/E firmware Ver.1.09.04 and earlier)"
}
]
}
}
]
},
"vendor_name": "I-O DATA DEVICE, INC."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple I-O DATA network camera products (TS-WRLP firmware Ver.1.09.04 and earlier, TS-WRLA firmware Ver.1.09.04 and earlier, TS-WRLP/E firmware Ver.1.09.04 and earlier) use hardcoded credentials which may allow an remote authenticated attacker to execute arbitrary OS commands on the device via unspecified vector."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Use of Hard-coded Credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.iodata.jp/support/information/2018/ts-wrlp/",
"refsource": "CONFIRM",
"url": "http://www.iodata.jp/support/information/2018/ts-wrlp/"
},
{
"name": "JVN#83701666",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN83701666/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2018-0663",
"datePublished": "2018-09-07T14:00:00.000Z",
"dateReserved": "2017-11-27T00:00:00.000Z",
"dateUpdated": "2024-08-05T03:35:49.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-61865 (GCVE-0-2025-61865)
Vulnerability from cvelistv5 – Published: 2025-10-23 04:14 – Updated: 2025-12-10 06:36
VLAI
EPSS
VEX
Summary
Multiple NAS management applications provided by I-O DATA DEVICE, INC. register Windows services with unquoted file paths. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-428 - Unquoted search path or element
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| I-O DATA DEVICE, INC. | NarSuS App |
Affected:
prior to Ver.2.33
|
|
| I-O DATA DEVICE, INC. | Clone for Windows |
Affected:
prior to Ver2.36
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61865",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-23T15:00:13.400065Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-23T15:00:29.366Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "NarSuS App",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.33"
}
]
},
{
"product": "Clone for Windows",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "prior to Ver2.36"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple NAS management applications provided by I-O DATA DEVICE, INC. register Windows services with unquoted file paths. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-428",
"description": "Unquoted search path or element",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T06:36:23.383Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.iodata.jp/support/information/2025/10_NarSuS_App/"
},
{
"url": "https://www.iodata.jp/support/information/2025/12_CloneforWindows/"
},
{
"url": "https://jvn.jp/en/jp/JVN03295012/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-61865",
"datePublished": "2025-10-23T04:14:50.057Z",
"dateReserved": "2025-10-02T07:57:52.217Z",
"dateUpdated": "2025-12-10T06:36:23.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58116 (GCVE-0-2025-58116)
Vulnerability from cvelistv5 – Published: 2025-09-17 03:08 – Updated: 2025-09-17 13:34
VLAI
EPSS
VEX
Summary
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in WN-7D36QR and WN-7D36QR/UE. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote authenticated attacker.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| I-O DATA DEVICE, INC. | WN-7D36QR |
Affected:
firmware Ver.1.1.3 and prior versions
|
|
| I-O DATA DEVICE, INC. | WN-7D36QR/UE |
Affected:
firmware Ver.1.1.3 and prior versions
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58116",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T13:33:50.768851Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T13:34:00.567Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WN-7D36QR",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.1.1.3 and prior versions"
}
]
},
{
"product": "WN-7D36QR/UE",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.1.1.3 and prior versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) issue exists in WN-7D36QR and WN-7D36QR/UE. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote authenticated attacker."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T03:08:40.791Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.iodata.jp/support/information/2025/09_wn-7d36qr/index.htm"
},
{
"url": "https://jvn.jp/en/vu/JVNVU97490987/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-58116",
"datePublished": "2025-09-17T03:08:40.791Z",
"dateReserved": "2025-09-10T08:04:11.408Z",
"dateUpdated": "2025-09-17T13:34:00.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-55075 (GCVE-0-2025-55075)
Vulnerability from cvelistv5 – Published: 2025-09-17 03:08 – Updated: 2025-09-17 13:38
VLAI
EPSS
VEX
Summary
Hidden functionality issue exists in WN-7D36QR and WN-7D36QR/UE. If this vulnerability is exploited, SSH may be enabled by a remote authenticated attacker.
Severity
4.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-912 - Hidden functionality
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| I-O DATA DEVICE, INC. | WN-7D36QR |
Affected:
firmware Ver.1.1.3 and prior versions
|
|
| I-O DATA DEVICE, INC. | WN-7D36QR/UE |
Affected:
firmware Ver.1.1.3 and prior versions
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55075",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T13:37:37.096884Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T13:38:05.944Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WN-7D36QR",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.1.1.3 and prior versions"
}
]
},
{
"product": "WN-7D36QR/UE",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.1.1.3 and prior versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hidden functionality issue exists in WN-7D36QR and WN-7D36QR/UE. If this vulnerability is exploited, SSH may be enabled by a remote authenticated attacker."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-912",
"description": "Hidden functionality",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T03:08:37.275Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.iodata.jp/support/information/2025/09_wn-7d36qr/index.htm"
},
{
"url": "https://jvn.jp/en/vu/JVNVU97490987/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-55075",
"datePublished": "2025-09-17T03:08:37.275Z",
"dateReserved": "2025-09-10T08:04:14.006Z",
"dateUpdated": "2025-09-17T13:38:05.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32738 (GCVE-0-2025-32738)
Vulnerability from cvelistv5 – Published: 2025-05-15 08:48 – Updated: 2025-05-15 13:59
VLAI
EPSS
VEX
Summary
Missing authentication for critical function issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier. If exploited, a remote unauthenticated attacker may change the product settings.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing authentication for critical function
Assigner
References
2 references
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
| I-O DATA DEVICE, INC. | HDL-TC1 |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-TC500 |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-T1NV |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-T1WH |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-T2NV |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-T2WH |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-T3NV |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-T3WH |
Affected:
Ver.1.21 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32738",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T13:49:48.202499Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T13:59:02.855Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "HDL-TC1",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-TC500",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-T1NV",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-T1WH",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-T2NV",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-T2WH",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-T3NV",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-T3WH",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Missing authentication for critical function issue exists in I-O DATA network attached hard disk \u0027HDL-T Series\u0027 firmware Ver.1.21 and earlier. If exploited, a remote unauthenticated attacker may change the product settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "Missing authentication for critical function",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T08:48:19.734Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.iodata.jp/support/information/2025/05_hdl-t/"
},
{
"url": "https://jvn.jp/en/vu/JVNVU91726405/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-32738",
"datePublished": "2025-05-15T08:48:19.734Z",
"dateReserved": "2025-04-15T08:43:36.600Z",
"dateUpdated": "2025-05-15T13:59:02.855Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32002 (GCVE-0-2025-32002)
Vulnerability from cvelistv5 – Published: 2025-05-15 08:48 – Updated: 2025-05-15 14:00
VLAI
EPSS
VEX
Summary
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier when 'Remote Link3 function' is enabled. If exploited, a remote unauthenticated attacker may execute an arbitrary OS command.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
Assigner
References
2 references
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
| I-O DATA DEVICE, INC. | HDL-TC1 |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-TC500 |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-T1NV |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-T1WH |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-T2NV |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-T2WH |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-T3NV |
Affected:
Ver.1.21 and earlier
|
|
| I-O DATA DEVICE, INC. | HDL-T3WH |
Affected:
Ver.1.21 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32002",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T13:59:55.448041Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T14:00:55.838Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "HDL-TC1",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-TC500",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-T1NV",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-T1WH",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-T2NV",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-T2WH",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-T3NV",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
},
{
"product": "HDL-T3WH",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "Ver.1.21 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) issue exists in I-O DATA network attached hard disk \u0027HDL-T Series\u0027 firmware Ver.1.21 and earlier when \u0027Remote Link3 function\u0027 is enabled. If exploited, a remote unauthenticated attacker may execute an arbitrary OS command."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T08:48:12.065Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.iodata.jp/support/information/2025/05_hdl-t/"
},
{
"url": "https://jvn.jp/en/vu/JVNVU91726405/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-32002",
"datePublished": "2025-05-15T08:48:12.065Z",
"dateReserved": "2025-04-15T08:43:39.460Z",
"dateUpdated": "2025-05-15T14:00:55.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26856 (GCVE-0-2025-26856)
Vulnerability from cvelistv5 – Published: 2025-02-20 05:49 – Updated: 2025-02-20 16:15
VLAI
EPSS
VEX
Summary
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If an attacker logs in to the affected product with an administrative account and manipulates requests for a certain screen operation, an arbitrary OS command may be executed. This vulnerability was reported on a different screen operation from CVE-2025-20617.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| I-O DATA DEVICE, INC. | UD-LT2 |
Affected:
firmware Ver.1.00.008_SE and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26856",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T16:15:09.554134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T16:15:20.874Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "UD-LT2",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.1.00.008_SE and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If an attacker logs in to the affected product with an administrative account and manipulates requests for a certain screen operation, an arbitrary OS command may be executed. This vulnerability was reported on a different screen operation from CVE-2025-20617."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T05:49:49.402Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.iodata.jp/support/information/2025/01_ud-lt2/"
},
{
"url": "https://jvn.jp/en/jp/JVN15293958/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-26856",
"datePublished": "2025-02-20T05:49:49.402Z",
"dateReserved": "2025-02-17T00:29:49.508Z",
"dateUpdated": "2025-02-20T16:15:20.874Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-23237 (GCVE-0-2025-23237)
Vulnerability from cvelistv5 – Published: 2025-01-22 05:50 – Updated: 2025-02-12 20:41
VLAI
EPSS
VEX
Summary
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If a user logs in to CLI of the affected product, an arbitrary OS command may be executed.
Severity
6.6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| I-O DATA DEVICE, INC. | UD-LT2 |
Affected:
firmware Ver.1.00.008_SE and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23237",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-22T14:33:28.348307Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:22.887Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "UD-LT2",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.1.00.008_SE and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If a user logs in to CLI of the affected product, an arbitrary OS command may be executed."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-22T05:50:14.930Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.iodata.jp/support/information/2025/01_ud-lt2/"
},
{
"url": "https://jvn.jp/en/jp/JVN15293958/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-23237",
"datePublished": "2025-01-22T05:50:14.930Z",
"dateReserved": "2025-01-16T07:05:52.884Z",
"dateUpdated": "2025-02-12T20:41:22.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22450 (GCVE-0-2025-22450)
Vulnerability from cvelistv5 – Published: 2025-01-22 05:49 – Updated: 2025-02-12 20:41
VLAI
EPSS
VEX
Summary
Inclusion of undocumented features issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. A remote attacker may disable the LAN-side firewall function of the affected products, and open specific ports.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1242 - Inclusion of undocumented features or chicken bits
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| I-O DATA DEVICE, INC. | UD-LT2 |
Affected:
firmware Ver.1.00.008_SE and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22450",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-22T14:33:09.160199Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:22.761Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "UD-LT2",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.1.00.008_SE and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Inclusion of undocumented features issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. A remote attacker may disable the LAN-side firewall function of the affected products, and open specific ports."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1242",
"description": "Inclusion of undocumented features or chicken bits",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-22T05:49:13.793Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.iodata.jp/support/information/2025/01_ud-lt2/"
},
{
"url": "https://jvn.jp/en/jp/JVN15293958/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-22450",
"datePublished": "2025-01-22T05:49:13.793Z",
"dateReserved": "2025-01-16T07:05:53.738Z",
"dateUpdated": "2025-02-12T20:41:22.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-20617 (GCVE-0-2025-20617)
Vulnerability from cvelistv5 – Published: 2025-01-22 05:48 – Updated: 2025-02-20 05:51
VLAI
EPSS
VEX
Summary
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If an attacker logs in to the affected product with an administrative account and manipulates requests for a certain screen operation, an arbitrary OS command may be executed. This vulnerability was reported on a different screen operation from CVE-2025-26856.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| I-O DATA DEVICE, INC. | UD-LT2 |
Affected:
firmware Ver.1.00.008_SE and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20617",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-22T14:32:52.824972Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:22.567Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "UD-LT2",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.1.00.008_SE and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If an attacker logs in to the affected product with an administrative account and manipulates requests for a certain screen operation, an arbitrary OS command may be executed. This vulnerability was reported on a different screen operation from CVE-2025-26856."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T05:51:16.359Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.iodata.jp/support/information/2025/01_ud-lt2/"
},
{
"url": "https://jvn.jp/en/jp/JVN15293958/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-20617",
"datePublished": "2025-01-22T05:48:18.973Z",
"dateReserved": "2025-01-16T07:05:54.779Z",
"dateUpdated": "2025-02-20T05:51:16.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52564 (GCVE-0-2024-52564)
Vulnerability from cvelistv5 – Published: 2024-12-05 09:41 – Updated: 2025-01-29 04:55
VLAI
EPSS
VEX
Summary
Inclusion of undocumented features or chicken bits issue exists in UD-LT1 firmware Ver.2.1.8 and earlier and UD-LT1/EX firmware Ver.2.1.8 and earlier. A remote attacker may disable the firewall function of the affected products. As a result, an arbitrary OS command may be executed and/or configuration settings of the device may be altered.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1242 - Inclusion of undocumented features or chicken bits
Assigner
References
2 references
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| I-O DATA DEVICE, INC. | UD-LT1 |
Affected:
firmware Ver.2.1.8 and earlier
|
|
| I-O DATA DEVICE, INC. | UD-LT1/EX |
Affected:
firmware Ver.2.1.8 and earlier
|
|
| iodata | ud-lt1_firmware |
Affected:
0 , ≤ 2.1.8
(custom)
cpe:2.3:o:iodata:ud-lt1_firmware:*:*:*:*:*:*:*:* |
|
| iodata | ud-lt1\/ex_firmware |
Affected:
0 , ≤ 2.1.8
(custom)
cpe:2.3:o:iodata:ud-lt1\/ex_firmware:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:iodata:ud-lt1_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ud-lt1_firmware",
"vendor": "iodata",
"versions": [
{
"lessThanOrEqual": "2.1.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:iodata:ud-lt1\\/ex_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ud-lt1\\/ex_firmware",
"vendor": "iodata",
"versions": [
{
"lessThanOrEqual": "2.1.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52564",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-29T04:55:28.107Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "UD-LT1",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.2.1.8 and earlier"
}
]
},
{
"product": "UD-LT1/EX",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.2.1.8 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Inclusion of undocumented features or chicken bits issue exists in UD-LT1 firmware Ver.2.1.8 and earlier and UD-LT1/EX firmware Ver.2.1.8 and earlier. A remote attacker may disable the firewall function of the affected products. As a result, an arbitrary OS command may be executed and/or configuration settings of the device may be altered."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1242",
"description": "Inclusion of undocumented features or chicken bits",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T09:41:39.909Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.iodata.jp/support/information/2024/11_ud-lt1/"
},
{
"url": "https://jvn.jp/en/jp/JVN46615026/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-52564",
"datePublished": "2024-12-05T09:41:39.909Z",
"dateReserved": "2024-11-14T01:18:51.324Z",
"dateUpdated": "2025-01-29T04:55:28.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47133 (GCVE-0-2024-47133)
Vulnerability from cvelistv5 – Published: 2024-12-05 09:40 – Updated: 2024-12-18 06:33
VLAI
EPSS
VEX
Summary
UD-LT1 firmware Ver.2.1.9 and earlier and UD-LT1/EX firmware Ver.2.1.9 and earlier allow a remote authenticated attacker with an administrative account to execute arbitrary OS commands.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
Assigner
References
2 references
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| I-O DATA DEVICE, INC. | UD-LT1 |
Affected:
firmware Ver.2.1.9 and earlier
|
|
| I-O DATA DEVICE, INC. | UD-LT1/EX |
Affected:
firmware Ver.2.1.9 and earlier
|
|
| iodata | ud-lt1_firmware |
Affected:
0 , ≤ 2.1.8
(custom)
cpe:2.3:o:iodata:ud-lt1_firmware:*:*:*:*:*:*:*:* |
|
| iodata | ud-lt1\/ex_firmware |
Affected:
0 , ≤ 2.1.8
(custom)
cpe:2.3:o:iodata:ud-lt1\/ex_firmware:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:iodata:ud-lt1_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ud-lt1_firmware",
"vendor": "iodata",
"versions": [
{
"lessThanOrEqual": "2.1.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:iodata:ud-lt1\\/ex_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ud-lt1\\/ex_firmware",
"vendor": "iodata",
"versions": [
{
"lessThanOrEqual": "2.1.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47133",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-05T18:44:10.055478Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T18:50:28.298Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "UD-LT1",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.2.1.9 and earlier"
}
]
},
{
"product": "UD-LT1/EX",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.2.1.9 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "UD-LT1 firmware Ver.2.1.9 and earlier and UD-LT1/EX firmware Ver.2.1.9 and earlier allow a remote authenticated attacker with an administrative account to execute arbitrary OS commands."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-18T06:33:27.182Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.iodata.jp/support/information/2024/11_ud-lt1/"
},
{
"url": "https://jvn.jp/en/jp/JVN46615026/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-47133",
"datePublished": "2024-12-05T09:40:48.474Z",
"dateReserved": "2024-11-22T00:54:46.024Z",
"dateUpdated": "2024-12-18T06:33:27.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45841 (GCVE-0-2024-45841)
Vulnerability from cvelistv5 – Published: 2024-12-05 09:39 – Updated: 2024-12-18 06:32
VLAI
EPSS
VEX
Summary
Incorrect permission assignment for critical resource issue exists in UD-LT1 firmware Ver.2.1.9 and earlier and UD-LT1/EX firmware Ver.2.1.9 and earlier. If an attacker with the guest account of the affected products accesses a specific file, the information containing credentials may be obtained.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-732 - Incorrect permission assignment for critical resource
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| I-O DATA DEVICE, INC. | UD-LT1 |
Affected:
firmware Ver.2.1.9 and earlier
|
|
| I-O DATA DEVICE, INC. | UD-LT1/EX |
Affected:
firmware Ver.2.1.9 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45841",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-05T11:04:58.403624Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T11:13:24.038Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "UD-LT1",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.2.1.9 and earlier"
}
]
},
{
"product": "UD-LT1/EX",
"vendor": "I-O DATA DEVICE, INC.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.2.1.9 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect permission assignment for critical resource issue exists in UD-LT1 firmware Ver.2.1.9 and earlier and UD-LT1/EX firmware Ver.2.1.9 and earlier. If an attacker with the guest account of the affected products accesses a specific file, the information containing credentials may be obtained."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "Incorrect permission assignment for critical resource",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-18T06:32:37.504Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.iodata.jp/support/information/2024/11_ud-lt1/"
},
{
"url": "https://jvn.jp/en/jp/JVN46615026/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-45841",
"datePublished": "2024-12-05T09:39:36.181Z",
"dateReserved": "2024-11-22T00:54:44.862Z",
"dateUpdated": "2024-12-18T06:32:37.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
JVNDB-2025-000091
Vulnerability from jvndb - Published: 2025-10-22 15:04 - Updated:2025-12-10 16:20
Severity
Summary
Multiple I-O DATA NAS management applications register Windows services with unquoted file paths
Details
Multiple NAS management applications provided by I-O DATA DEVICE, INC. register Windows services with unquoted file paths.
Multiple NAS management applications provided by I-O DATA DEVICE, INC. contain the following vulnerability.
- Unquoted search path or element (CWE-428) - CVE-2025-61865
References
| Type | URL | |
|---|---|---|
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000091.html",
"dc:date": "2025-12-10T16:20+09:00",
"dcterms:issued": "2025-10-22T15:04+09:00",
"dcterms:modified": "2025-12-10T16:20+09:00",
"description": "Multiple NAS management applications provided by I-O DATA DEVICE, INC. register Windows services with unquoted file paths.\r\nMultiple NAS management applications provided by I-O DATA DEVICE, INC. contain the following vulnerability.\r\n\u003cul\u003e\u003cli\u003eUnquoted search path or element (CWE-428) - CVE-2025-61865\u003c/li\u003e\u003c/ul\u003e\r\nKazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000091.html",
"sec:cpe": [
{
"#text": "cpe:/a:i-o_data_device:clone_for_windows",
"@product": "Clone for Windows",
"@vendor": "I-O DATA DEVICE, INC.",
"@version": "2.2"
},
{
"#text": "cpe:/a:i-o_data_device:narsus_app",
"@product": "NarSuS app",
"@vendor": "I-O DATA DEVICE, INC.",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "6.7",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2025-000091",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN03295012/index.html",
"@id": "JVN#03295012",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-61865",
"@id": "CVE-2025-61865",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple I-O DATA NAS management applications register Windows services with unquoted file paths"
}
JVNDB-2025-014104
Vulnerability from jvndb - Published: 2025-09-19 14:58 - Updated:2025-09-19 14:58
Severity
Summary
Multiple vulnerabilities in I-O DATA wireless LAN routers
Details
Wireless LAN routers provided by I-O DATA DEVICE, INC. contains multiple vulnerabilities listed below.
* Hidden functionality (CWE-912) - CVE-2025-55075
* OS command injection (CWE-78) - CVE-2025-58116
Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
References
| Type | URL | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-014104.html",
"dc:date": "2025-09-19T14:58+09:00",
"dcterms:issued": "2025-09-19T14:58+09:00",
"dcterms:modified": "2025-09-19T14:58+09:00",
"description": "Wireless LAN routers provided by I-O DATA DEVICE, INC. contains multiple vulnerabilities listed below.\r\n\r\n* Hidden functionality (CWE-912) - CVE-2025-55075\r\n* OS command injection (CWE-78) - CVE-2025-58116\r\n\r\nChuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC.\r\nJPCERT/CC coordinated with the developer.",
"link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-014104.html",
"sec:cpe": [
{
"#text": "cpe:/o:i-o_data_device:wn-7d36qr%2fue_firmware",
"@product": "WN-7D36QR/UE firmware",
"@vendor": "I-O DATA DEVICE, INC.",
"@version": "2.2"
},
{
"#text": "cpe:/o:i-o_data_device:wn-7d36qr_firmware",
"@product": "WN-7D36QR firmware",
"@vendor": "I-O DATA DEVICE, INC.",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "7.2",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2025-014104",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU97490987/index.html",
"@id": "JVNVU#97490987",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-55075",
"@id": "CVE-2025-55075",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-58116",
"@id": "CVE-2025-58116",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-78",
"@title": "OS Command Injection(CWE-78)"
},
{
"#text": "https://cwe.mitre.org/data/definitions/912.html",
"@id": "CWE-912",
"@title": "Hidden Functionality(CWE-912)"
}
],
"title": "Multiple vulnerabilities in I-O DATA wireless LAN routers"
}
JVNDB-2025-005057
Vulnerability from jvndb - Published: 2025-05-15 18:27 - Updated:2025-05-15 18:27
Severity
Summary
Multiple vulnerabilities in I-O DATA network attached hard disk 'HDL-T Series'
Details
Network attached hard disk 'HDL-T Series' provided by I-O DATA DEVICE, INC. contains multiple vulnerabilities.
- OS command injection (CWE-78)
- Affected when 'Remote Link3 function' is enabled
- CVE-2025-32002
- Missing authentication for critical function (CWE-306)
- CVE-2025-32738
References
| Type | URL | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-005057.html",
"dc:date": "2025-05-15T18:27+09:00",
"dcterms:issued": "2025-05-15T18:27+09:00",
"dcterms:modified": "2025-05-15T18:27+09:00",
"description": "Network attached hard disk \u0027HDL-T Series\u0027 provided by I-O DATA DEVICE, INC. contains multiple vulnerabilities.\r\n\r\n\u003cul\u003e\r\n\u003cli\u003eOS command injection (CWE-78)\u003c/li\u003e\r\n\u003cul\u003e\r\n\u003cli\u003eAffected when \u0027Remote Link3 function\u0027 is enabled\u003c/li\u003e\r\n\u003cli\u003eCVE-2025-32002\u003c/li\u003e\r\n\u003c/ul\u003e\r\n\r\n\u003cli\u003eMissing authentication for critical function (CWE-306)\u003c/li\u003e\r\n\u003cul\u003e\u003cli\u003eCVE-2025-32738\u003c/li\u003e\u003c/ul\u003e\r\n\u003c/ul\u003e\r\n\r\nChuya Hayakawa and Ryo Kamino of 00One, Inc. reported these vulnerabilities to JPCERT/CC.\r\nJPCERT/CC coordinated with the developer.",
"link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-005057.html",
"sec:cpe": {
"#text": "cpe:/h:i-o_data_device:hdl-t",
"@product": "HDL-T Series",
"@vendor": "I-O DATA DEVICE, INC.",
"@version": "2.2"
},
"sec:cvss": {
"@score": "9.8",
"@severity": "Critical",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2025-005057",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU91726405/index.html",
"@id": "JVNVU#91726405",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-32002",
"@id": "CVE-2025-32002",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-32738",
"@id": "CVE-2025-32738",
"@source": "CVE"
},
{
"#text": "https://cwe.mitre.org/data/definitions/306.html",
"@id": "CWE-306",
"@title": "Missing Authentication for Critical Function(CWE-306)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-78",
"@title": "OS Command Injection(CWE-78)"
}
],
"title": "Multiple vulnerabilities in I-O DATA network attached hard disk \u0027HDL-T Series\u0027"
}
JVNDB-2025-000004
Vulnerability from jvndb - Published: 2025-01-22 13:55 - Updated:2025-02-20 15:55
Severity
Summary
Multiple vulnerabilities in I-O DATA router UD-LT2
Details
UD-LT2 provided by I-O DATA DEVICE, INC. contains multiple vulnerabilities listed below.
- OS Command Injection (CWE-78) - CVE-2025-20617, CVE-2025-26856
- Inclusion of Undocumented Features (CWE-1242) - CVE-2025-22450
- OS Command Injection (CWE-78) - CVE-2025-23237
References
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000004.html",
"dc:date": "2025-02-20T15:55+09:00",
"dcterms:issued": "2025-01-22T13:55+09:00",
"dcterms:modified": "2025-02-20T15:55+09:00",
"description": "UD-LT2 provided by I-O DATA DEVICE, INC. contains multiple vulnerabilities listed below.\u003cul\u003e\u003cli\u003eOS Command Injection (CWE-78) - CVE-2025-20617, CVE-2025-26856\u003c/li\u003e\u003cli\u003eInclusion of Undocumented Features (CWE-1242) - CVE-2025-22450\u003c/li\u003e\u003cli\u003eOS Command Injection (CWE-78) - CVE-2025-23237\u003c/li\u003e\u003c/ul\u003e\r\n\r\nCVE-2025-20617, CVE-2025-22450, CVE-2025-23237\r\nTakeshi Kuramori, Kaori Takashima, and Kohei Masumi of National Institute of Information and Communications Technology, Cybersecurity Research Institute reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2025-26856\r\nMasashi Shiraishi of Mitsui Bussan Secure Directions, Inc. reported this vulnerability IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000004.html",
"sec:cpe": {
"#text": "cpe:/o:i-o_data_device:ud-lt2_firmware",
"@product": "UD-LT2 firmware",
"@vendor": "I-O DATA DEVICE, INC.",
"@version": "2.2"
},
"sec:cvss": {
"@score": "7.5",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2025-000004",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN15293958/index.html",
"@id": "JVN#15293958",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-20617",
"@id": "CVE-2025-20617",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-22450",
"@id": "CVE-2025-22450",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-23237",
"@id": "CVE-2025-23237",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-26856",
"@id": "CVE-2025-26856",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-78",
"@title": "OS Command Injection(CWE-78)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple vulnerabilities in I-O DATA router UD-LT2"
}
JVNDB-2024-000125
Vulnerability from jvndb - Published: 2024-12-04 15:22 - Updated:2024-12-18 15:20
Severity
Summary
Multiple vulnerabilities in I-O DATA routers UD-LT1 and UD-LT1/EX
Details
UD-LT1 and UD-LT1/EX provided by I-O DATA DEVICE, INC. contain multiple vulnerabilities listed below.
- Incorrect Permission Assignment for Critical Resource (CWE-732) - CVE-2024-45841
- OS Command Injection (CWE-78) - CVE-2024-47133
- Inclusion of Undocumented Features (CWE-1242) - CVE-2024-52564
References
| Type | URL | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000125.html",
"dc:date": "2024-12-18T15:20+09:00",
"dcterms:issued": "2024-12-04T15:22+09:00",
"dcterms:modified": "2024-12-18T15:20+09:00",
"description": "UD-LT1 and UD-LT1/EX provided by I-O DATA DEVICE, INC. contain multiple vulnerabilities listed below.\r\n\u003cul\u003e\u003cli\u003eIncorrect Permission Assignment for Critical Resource (CWE-732) - CVE-2024-45841\u003c/li\u003e\u003cli\u003eOS Command Injection (CWE-78) - CVE-2024-47133\u003c/li\u003e\u003cli\u003eInclusion of Undocumented Features (CWE-1242) - CVE-2024-52564\u003c/li\u003e\u003c/ul\u003e\r\nThe developer states that attacks exploiting these vulnerabilities have been observed.\r\n\r\nCVE-2024-45841, CVE-2024-47133\r\nTakeshi Kuramori, Kaori Takashima, and Kohei Masumi of National Institute of Information and Communications Technology, Cybersecurity Research Institute reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2024-52564\r\nChuya Hayakawa and Ryo Kamino of 00One, Inc. reported this vulnerability to JPCERT/CC.\r\nJPCERT/CC coordinated with the developer.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000125.html",
"sec:cpe": [
{
"#text": "cpe:/o:i-o_data_device:ud-lt1_ex_firmware",
"@product": "UD-LT1/EX firmware",
"@vendor": "I-O DATA DEVICE, INC.",
"@version": "2.2"
},
{
"#text": "cpe:/o:i-o_data_device:ud-lt1_firmware",
"@product": "UD-LT1 firmware",
"@vendor": "I-O DATA DEVICE, INC.",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "7.5",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2024-000125",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN46615026/index.html",
"@id": "JVN#46615026",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-45841",
"@id": "CVE-2024-45841",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-47133",
"@id": "CVE-2024-47133",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-52564",
"@id": "CVE-2024-52564",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/security/security-alert/2024/20241204-jvn.html",
"@id": "Security Alert for Vulnerability in I-O DATA routers UD-LT1 and UD-LT1/EX (JVN#46615026)",
"@source": "IPA SECURITY ALERTS"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-78",
"@title": "OS Command Injection(CWE-78)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple vulnerabilities in I-O DATA routers UD-LT1 and UD-LT1/EX"
}