[Japanese]

JVNDB-2025-000110

Multiple vulnerabilities in Security Point (Windows) of MaLion

Overview

Security Point (Windows) of MaLion provided by Intercom, Inc. contains multiple vulnerabilities listed below.
  • Incorrect default permissions (CWE-276) - CVE-2025-59485
  • Stack-based buffer overflow in processing HTTP headers (CWE-121) - CVE-2025-62691
  • Heap-based buffer overflow in processing Content-Length (CWE-122) - CVE-2025-64693
CVE-2025-59485
Ruslan Sayfiev of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2025-62691, CVE-2025-64693
Denis Faiustov, and Ruslan Sayfiev of GMO Cybersecurity by Ierae, Inc. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 9.8 (Critical) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2025-62691

CVSS v3 Severity
Base Metrics: 9.8(Critical) [IPA Score]
  • Access Vector : Network
  • Access Complexity : Low
  • Privileges Required : None
  • User Interaction : None
  • Scope : Unchanged
  • Confidentiality Impact : High
  • Integrity Impact : High
  • Availability Impact : High
The above CVSS base scores have been assigned forCVE-2025-64693

CVSS v3 Severity
Base Metrics: 3.3(Low) [IPA Score]
  • Access Vector : Local
  • Access Complexity : Low
  • Privileges Required : Low
  • User Interaction : None
  • Scope : Unchanged
  • Confidentiality Impact : None
  • Integrity Impact : Low
  • Availability Impact : None
The above CVSS base scores have been assigned forCVE-2025-59485
Affected Products


Intercom, Inc.
  • Security Point (Windows) of MaLion prior to Ver.5.3.4
  • Security Point (Windows) of MaLion prior to Ver.7.1.1.9
  • Security Point (Windows) of MaLionCloud prior to Ver.7.2.0.1

Impact

  • An arbitrary file could be placed in the specific folder by a user who can log in to the system where the product's Windows client is installed. If the file is a specially crafted DLL file, arbitrary code could be executed withSYSTEMprivilege (CVE-2025-59485)
  • Receiving a specially crafted request from a remote unauthenticated attacker could lead to arbitrary code execution withSYSTEMprivilege (CVE-2025-62691, CVE-2025-64693)
Solution

[Update the product]
Update the product to the latest version according to the information provided by the developer.
The developer has released the following updates that contain fixes for these vulnerabilities.

CVE-2025-59485
  • Security Point (Windows) of MaLion Ver.5.3.4 or later
CVE-2025-62691, CVE-2025-64693
  • Security Point (Windows) of MaLion Ver.7.1.1.9 or later
  • Security Point (Windows) of MaLionCloud Ver.7.2.0.1 or later
Vendor Information

Intercom, Inc.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2025-59485
  2. CVE-2025-62691
  3. CVE-2025-64693
References

  1. JVN : JVN#76298784
Revision History

  • [2025/11/25]
      Web page was published

Date Public2025/11/25
Date First Published2025/11/25
Date Last Updated2025/11/25