DLL planting vulnerability in multiple Yayoi 17 Series products


Multiple Yayoi 17 Series products provided by Yayoi Co., Ltd. contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).

Eiji James Yoshida of Security Professionals Network Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

Yayoi Co., Ltd
  • Yayoi Kyuuyo Keisan 17 Ver.20.1.4 and earlier
  • Yayoi Kokyaku Kanri 17 Ver.11.0.2 and earlier
  • Yayoi Aoiro Shinkoku 17 Ver.23.1.1 and earlier
  • Yayoi Kaikei 17 Series Ver.23.1.1 and earlier
  • Yayoi Kyuuyo 17 Ver.20.1.4 and earlier
  • Yayoi Hanbai 17 Series Ver.20.0.2 and earlier


Arbitrary code may be executed with the privilege of the running application.

[Update the Software]
Apply the appropriate update according to the information provided by the developer.
Vendor Information

Yayoi Co., Ltd
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2018-0623
  2. CVE-2018-0624

  1. JVN : JVN#06813756
  2. JVN : JVNTA#91240916
  3. National Vulnerability Database (NVD) : CVE-2018-0623
  4. National Vulnerability Database (NVD) : CVE-2018-0624
Revision History

  • [2018/07/20]
      Web page was published
  • [2019/07/25]
      References : Contents were added