[Japanese]
|
JVNDB-2025-000056
|
Multiple vulnerabilities in Sato label printers CL4/6NX Plus and CL4/6NX-J Plus series
|
Sato label printers CL4/6NX Plus and CL4/6NX-J Plus series provided by SATO Corporation contain multiple vulnerabilities listed below.- OS command injection (CWE-78) - CVE-2025-22469
- Unrestricted upload of file with dangerous type (CWE-434) - CVE-2025-22470
MASAHIRO IIDA of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V3 Severity: Base Metrics 9.8 (Critical) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2025-22470
|
CVSS V3 Severity:
Base Metrics:7.3 (High) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
The above CVSS base scores have been assigned for CVE-2025-22469
|
|
SATO CORPORATION
- CL4/6NX Plus, firmware versions prior to 1.15.5-r1
- CL4/6NX-J Plus (Japan model), firmware versions prior to 1.15.5-r1
|
|
- A remote attacker may execute an arbitrary OS command on the system with a certain non-administrative user privilege (CVE-2025-22469)
- A remote attacker may execute an arbitrary Lua script on the system with root privilege (CVE-2025-22470)
|
[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
[Apply workarounds]
The developer provides workarounds for users who cannot apply the update.
Refer to the information provided by the developer for details.
|
SATO CORPORATION
|
- OS Command Injection(CWE-78) [IPA Evaluation]
- No Mapping(CWE-Other) [IPA Evaluation]
|
- CVE-2025-22469
- CVE-2025-22470
|
- JVN : JVN#16547726
|
- [2025/08/06]
Web page was published
|