Cybozu Desktop for Windows vulenerable to arbitrary code execution


Cybozu Desktop for Windows provided by Cybozu, Inc. contains an arbitrary code execution vulnerability due to the improper data processing when applying the software update.

Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to Cybozu, Inc. and coordinated. Cybozu, Inc. and JPCERT/CC published respective advisories in order to notify users of this vulnerability.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.3 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 5.1 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

Cybozu, Inc.
  • Cybozu Desktop for Windows 2.0.23 to 2.2.40


A remote attacker may excecute arbitrary code through an attack, such as a man-in-the-middle (MITM), subdomain takeover, and etc.

[Update the Software]
Update to the latest version according to the information provided by the developer.
Vendor Information

Cybozu, Inc.
CWE (What is CWE?)

  1. Improper Input Validation(CWE-20) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2020-5537

  1. JVN : JVN#59552136
Revision History

  • [2020/05/25]
      Web page was published