[Japanese]

JVNDB-2025-000019

Multiple vulnerabilities in AssetView

Overview

AssetView provided by Hammock Corporation contains multiple vulnerabilities listed below.

  • Missing authentication for critical function (CWE-306) - CVE-2025-25060

  • Acquiring sensitive information from sent data to the developer (CWE-201) - CVE-2025-27244


Takao Kondo of VeriServe Corporation reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.2 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-25060


CVSS V3 Severity:
Base Metrics 5.9 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-27244
Affected Products


Hammock Corporation
  • AssetView versions prior to Ver 13.2.4.3408 (13.2.4O)
  • AssetView CLOUD Versions prior to Ver 13.2.4.3408 (13.2.4O)
  • AssetView CLOUD Versions prior to Ver 13.3.4.3004 (13.3.4K)

The developer states that AssetView Cloud + is not affected by these vulnerabilities.
Impact


  • The files on the server where the product is running may be obtained and/or deleted by a remote unauthenticated attacker (CVE-2025-25060)

  • Sensitive information may be obtained by a remote unauthenticated attacker (CVE-2025-27244)

Solution

[Update the Software]
For AseetView:
Apply the appropriate update according to the information provided by the developer.
Users of AssetView prior to Ver 13.2.0 should contact Support Group of the developer.

For AseetView CLOUD:
Users of AssetView CLOUD should contact Support Group of the developer.

Refer to the infomation (in Japanese) provided by the developer for details.
Vendor Information

Hammock Corporation
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2025-25060
  2. CVE-2025-27244
References

  1. JVN : JVN#26321838
Revision History

  • [2025/03/25]
      Web page was published