|
[Japanese]
|
JVNDB-2025-005057
|
Multiple vulnerabilities in I-O DATA network attached hard disk 'HDL-T Series'
|
|
Network attached hard disk 'HDL-T Series' provided by I-O DATA DEVICE, INC. contains multiple vulnerabilities.
- OS command injection (CWE-78)
- Affected when 'Remote Link3 function' is enabled
- CVE-2025-32002
- Missing authentication for critical function (CWE-306)
Chuya Hayakawa and Ryo Kamino of 00One, Inc. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
|
|
CVSS V3 Severity:
Base Metrics 9.8 (Critical) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2025-32002
|
CVSS V3 Severity:
Base Metrics5.3 (Medium) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-32738
|
|
|
I-O DATA DEVICE, INC.
- HDL-T Series firmware Ver.1.21 and earlier
|
The following products are affected:
- HDL-TC1
- HDL-TC500
- HDL-T1NV
- HDL-T1WH
- HDL-T2NV
- HDL-T2WH
- HDL-T3NV
- HDL-T3WH
|
|
- A remote unauthenticated attacker may execute an arbitrary OS command (CVE-2025-32002)
- A remote unauthenticated attacker may change the product settings (CVE-2025-32738)
|
|
[Update the Firmware]
Update the firmware to the latest version according to the information provided by the developer.
The developer has released the following version that addresses the vulnerabilities.
- HDL-T Series firmware Ver.1.22
|
|
I-O DATA DEVICE, INC.
|
|
- Missing Authentication for Critical Function(CWE-306) [Other]
- OS Command Injection(CWE-78) [Other]
|
|
- CVE-2025-32002
- CVE-2025-32738
|
|
- JVN : JVNVU#91726405
|
|
- [2025/05/15]
Web page was published
|
