[Japanese]

JVNDB-2025-000008

Multiple vulnerabilities in Defense Platform Home Edition

Overview

Defense Platform Home Edition provided by Humming Heads Inc. contains multiple vulnerabilities listed below.
  • Improper handling of message in specific process (CWE-422) - CVE-2025-20094

  • Execution with unnecessary privileges (CWE-250) - CVE-2025-22890

  • Improper handling of message in specific process (CWE-422) - CVE-2025-22894

  • Buffer overflow vulnerability in DeviceIoControl (CWE-120) - CVE-2025-23236

  • NULL pointer dereference vulnerability in DeviceIoControl (CWE-476) - CVE-2025-24483

  • Argument injection vulnerability in DPprd.sys and DPavd.sys (CWE-88) - CVE-2025-24845


CVE-2025-20094, CVE-2025-22890, CVE-2025-22894, CVE-2025-23236, CVE-2025-24483
Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.

CVE-2025-24845
This vulnerability was reported to IPA under the Information Security Early Warning Partnership, and JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.8 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2025-20094

CVSS V3 Severity:
Base Metrics 8.8 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2025-23236

CVSS V3 Severity:
Base Metrics 6.5 (Medium) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-22890

CVSS V3 Severity:
Base Metrics 6.5 (Medium) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-22894

CVSS V3 Severity:
Base Metrics 6.5 (Medium) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2025-24483

CVSS V3 Severity:
Base Metrics 6.3 (Medium) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2025-24845
Affected Products


Humming Heads Inc.
  • Defense Platform Home Edition Ver.3.9.51.x and earlier versions

Impact

  • If an attacker sends a specially crafted message to the specific process of the Windows system where the product is running, an arbitrary code may be executed with SYSTEM privilege (CVE-2025-20094)

  • If an attacker performs a specific operation, SYSTEM privilege of the Windows system where the product is running may be obtained (CVE-2025-22890, CVE-2025-23236)

  • If an attacker sends a specially crafted message to the specific process of the Windows system where the product is running, arbitrary files in the system may be altered. As a result, an arbitrary DLL may be executed with SYSTEM privilege (CVE-2025-22894)

  • If an attacker provides a specially crafted data to the specific process of the Windows system where the product is running, the system may cause a Blue Screen of Death (BSOD), and as a result, cause a denial-of-service (DoS) condition (CVE-2025-24483, CVE-2025-24845)
Solution

[Update the Software]
Update the software to the latest version according to the information provided by the developer.
Vendor Information

Humming Heads Inc.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2025-20094
  2. CVE-2025-22890
  3. CVE-2025-22894
  4. CVE-2025-23236
  5. CVE-2025-24483
  6. CVE-2025-24845
References

  1. JVN : JVN#66673020
Revision History

  • [2025/02/05]
      Web page was published

Date Public2025/02/05
Date First Published2025/02/05
Date Last Updated2025/02/05