JVNDB-2025-000116

[Japanese]
JVNDB-2025-000116
GS Yuasa FULLBACK Manager Pro registers Windows services with unquoted file paths
Overview
FULLBACK Manager Pro provided by GS Yuasa International Ltd. contains the following vulnerability. Unquoted search path or element (CWE-428) - CVE-2025-66461 Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)
CVSS V3 Severity: Base Metrics 6.7 (Medium) [IPA Score] Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality Impact: High Integrity Impact: High Availability Impact: High
Affected Products

GS Yuasa International Ltd. FULLBACK Manager Pro (for Windows) version 4.00 and earlier FULLBACK Manager Pro for Network (for Windows) version 3.00 and earlier

Impact
A user may execute arbitrary code withSYSTEMprivilege if he/she has the write permission on the path to the directory where the affected product is installed.
Solution
[Update the Software] Update the software to the latest version according to the information provided by the developer.
Vendor Information
GS Yuasa International Ltd. GS Yuasa International Ltd. : Vulnerability in power management software for uninterruptible power supplies (UPS) (in Japanese)
CWE (What is CWE?)
No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)
CVE-2025-66461
References
JVN : JVN#59242986
Revision History
[2025/12/08] Web page was published


Date Public	2025/12/08
Date First Published	2025/12/08
Date Last Updated	2025/12/08

GS Yuasa FULLBACK Manager Pro registers Windows services with unquoted file paths