JVNDB-2025-000026

[Japanese]
JVNDB-2025-000026
Multiple vulnerabilities in BizRobo!
Overview
BizRobo! is an RPA (Robotic Process Automation) software provided by OPEN, Inc. Users compile an automation flow using DesignStudio, a development application that runs on Windows, and create robot files. A web application Management Console is provided to schedule RPA execution and to check the execution logs. BizRobo! contains multiple vulnerabilities listed below. Use of hard-coded cryptographic key (CWE-321) - CVE-2025-31362 Deserialization of untrusted data in the import function (CWE-502) - CVE-2013-7285 Deserialization of untrusted data in Design Studio license authorization (CWE-502) - CVE-2025-31932 Masamu Asato of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)
CVSS V3 Severity: Base Metrics 8.8 (High) [IPA Score] Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality Impact: High Integrity Impact: High Availability Impact: High The above CVSS base scores have been assigned for CVE-2025-31932
CVSS V3 Severity: Base Metrics 7.2 (High) [IPA Score] Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality Impact: High Integrity Impact: High Availability Impact: High The above CVSS base scores have been assigned for CVE-2013-7285
CVSS V3 Severity: Base Metrics 3.7 (Low) [IPA Score] Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality Impact: Low Integrity Impact: None Availability Impact: None The above CVSS base scores have been assigned for CVE-2025-31362
Affected Products

OPEN, Inc. BizRobo! all versions (CVE-2025-31362,CVE-2025-31932) BizRobo! versions v11.1 and earlier (CVE-2013-7285)

Impact
Credentials inside robot files may be obtained if the encryption key is available (CVE-2025-31362) Arbitrary code is executed on the Management Console (CVE-2013-7285, CVE-2025-31932)
Solution
CVE-2025-31362,CVE-2025-31932 [Apply the workaround] Apply the workaround according to the information provided by the developer. CVE-2013-7285 [Update the software or Apply the workaround] The patch support period for the affected versions has ended. The developer recommends updating to the latest version. If there is any problem on updating the affected product, the developer recommends applying the workaround. For more information, refer to the information provided by the developer.
Vendor Information
OPEN, Inc. OPEN, Inc. : Vulnerability of using hard-coded cryptographic key (in Japanese) OPEN, Inc. : Use of the Java XStream library which has the known vulnerability (in Japanese) OPEN, Inc. : Arbitrary code execution on the MC license server due to Java deserialization at Design Studio license authentication by a user (in Japanese) OPEN, Inc. : BizRobo! support period (in Japanese)
CWE (What is CWE?)
No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)
CVE-2025-31362 CVE-2025-31932
References
JVN : JVN#30641875
Revision History
[2025/04/10] Web page was published


Date Public	2025/04/10
Date First Published	2025/04/10
Date Last Updated	2025/04/10

Multiple vulnerabilities in BizRobo!