[Japanese]

JVNDB-2025-000085

Multiple RSUPPORT products may insecurely load Dynamic Link Libraries

Overview

Multiple RSUPPORT products contain multiple vulnerabilities listed below.
  • RemoteView PC Application Console vulnerable to uncontrolled search path element (CWE-427) - CVE-2025-26859

  • RemoteCall Remote Support Program (for Operator) vulnerable to uncontrolled search path element (CWE-427) - CVE-2025-26860, CVE-2025-26861

CVE-2025-26859
Eiji James Yoshida reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2025-26860, CVE-2025-26861
Eili Masami reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

JPCERT/CC Addendum
These vulnerabilities were reported to IPA, and JPCERT/CC started coordination with the developer in 2017.
The developer released the fixed versions in 2017.
The coordination between JPCERT/CC and the developer completed and this JVN is published in 2025.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2025-26859

CVSS V3 Severity:
Base Metrics 7.8(High) [IPA Score]
  • Attack Vector : Local
  • Attack Complexity : Low
  • Privileges Required : None
  • User Interaction : Required
  • Scope : Unchanged
  • Confidentiality Impact : High
  • Integrity Impact : High
  • Availability Impact : High
The above CVSS base scores have been assigned for CVE-2025-26860, CVE-2025-26861
Affected Products


RSUPPORT Co., Ltd.
  • RemoteCall Remote Support Program (for Operator) versions prior to 5.1.0 (CVE-2025-26860)
  • RemoteCall Remote Support Program (for Operator) versions prior to 5.3.0 (CVE-2025-26861)
  • RemoteView PC Application Console versions prior to 6.0.2

Impact

If a crafted DLL is placed in the same folder with the affected product, it may cause an arbitrary code execution.
Solution

The developer released the fixed versions below in 2017.
CVE-2025-26859
  • RemoteView PC Application Console 6.0.2

CVE-2025-26860
  • RemoteCall Remote Support Program (for Operator) 5.1.0

CVE-2025-26861
  • RemoteCall Remote Support Program (for Operator) 5.3.0

No operation is required by users as the product is always upgraded to the latest version by the automatic update mechanism.

Service for RemoteView PC Application Consol, which is affected by CVE-2025-26859, ended on January 31, 2023.
Vendor Information

RSUPPORT Co., Ltd.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2025-26859
  2. CVE-2025-26860
  3. CVE-2025-26861
References

  1. JVN : JVN#22713803
Revision History

  • [2025/10/15]
      Web page was published

Date Public2025/10/15
Date First Published2025/10/15
Date Last Updated2025/10/15