[Japanese]

JVNDB-2025-000022

Multiple vulnerabilities in JTEKT ELECTRONICS CORPORATION's products

Overview

HMI ViewJet C-more series and HMI GC-A2 series provided by JTEKT ELECTRONICS CORPORATION contain multiple vulnerabilities listed below.


  • Improper Restriction of Rendered UI Layers or Frames (CWE-1021) - CVE-2025-24310

  • Allocation of Resources Without Limits or Throttling (CWE-770) - CVE-2025-24317

  • Unintended Proxy or Intermediary ('Confused Deputy') (CWE-441) - CVE-2025-25061

  • Weak Encoding for Password (CWE-261) - CVE-2025-26401



JTEKT ELECTRONICS CORPORATION reported these vulnerabilities to JPCERT/CC to notify users of its solution through JVN.
JPCERT/CC and JTEKT ELECTRONICS CORPORATION coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.5 (Medium) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-26401


CVSS V3 Severity:
Base Metrics 5.8 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-25061


CVSS V3 Severity:
Base Metrics 5.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low
The above CVSS base scores have been assigned for CVE-2025-24317


CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-24310
Affected Products


JTEKT ELECTRONICS CORPORATION
  • HMI GC-A2 Series (CVE-2025-24317, CVE-2025-25061)
  • HMI ViewJet C-more Series (CVE-2025-24310, CVE-2025-24317, CVE-2025-25061, CVE-2025-26401)

Impact


  • An unauthenticated remote attacker may trick the product user to perform operations on the product's web pages (CVE-2025-24310)

  • An unauthenticated remote attacker may cause a denial-of-service (DoS) condition (CVE-2025-24317)

  • An unauthenticated remote attacker may use the product as an intermediary for FTP bounce attack (CVE-2025-25061)

  • Authentication information may be obtained (CVE-2025-26401)

Solution

HMI ViewJet C-more series
[Apply the Workaround]
The developer has ended support for the products, and recommends the users to apply the workaround.

HMI GC-A2 series
[Apply the Workaround]
The developer recommends the users to apply the workaround.

For more information, refer to the information provided by the developer.
Vendor Information

JTEKT ELECTRONICS CORPORATION
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2025-24310
  2. CVE-2025-24317
  3. CVE-2025-25061
  4. CVE-2025-26401
References

  1. JVN : JVN#17260367
Revision History

  • [2025/04/02]
      Web page was published