JVNDB-2025-000019

Multiple vulnerabilities in AssetView

AssetView provided by Hammock Corporation contains multiple vulnerabilities listed below.

• Missing authentication for critical function (CWE-306) - CVE-2025-25060
  
  
• Acquiring sensitive information from sent data to the developer (CWE-201) - CVE-2025-27244
  

Takao Kondo of VeriServe Corporation reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Hammock Corporation

• AssetView versions prior to Ver 13.2.4.3408 (13.2.4O)
• AssetView CLOUD Versions prior to Ver 13.2.4.3408 (13.2.4O)
• AssetView CLOUD Versions prior to Ver 13.3.4.3004 (13.3.4K)

The developer states that AssetView Cloud + is not affected by these vulnerabilities.

• The files on the server where the product is running may be obtained and/or deleted by a remote unauthenticated attacker (CVE-2025-25060)


• Sensitive information may be obtained by a remote unauthenticated attacker (CVE-2025-27244)

[Update the Software]
For AseetView:
Apply the appropriate update according to the information provided by the developer.
Users of AssetView prior to Ver 13.2.0 should contact Support Group of the developer.

For AseetView CLOUD:
Users of AssetView CLOUD should contact Support Group of the developer.

Refer to the infomation (in Japanese) provided by the developer for details.

Hammock Corporation

• Hammock Corporation : Two vulnerabilities in AssetView (in Japanese)
• Hammock Corporation : How to address two vulnerabilities in AssetView (JVN#26321838) (in Japanese, login required)

1. No Mapping(CWE-Other) [IPA Evaluation]

1. CVE-2025-25060
2. CVE-2025-27244

1. JVN : JVN#26321838

• [2025/03/25]
    Web page was published