[Japanese]

JVNDB-2026-000041

SANYO DENKI SANUPS SOFTWARE registers Windows services with unquoted file paths

Overview

SANUPS SOFTWARE provided by SANYO DENKI CO., LTD. contains the following vulnerability.
  • Unquoted search path or element (CWE-428) - CVE-2026-33253
Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.7 (Medium) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS v4 Severity
Base Metrics: 8.4 (High) [IPA Score]
  • Access Vector (AV): Local
  • Attack Complexity (AC): Low
  • Attack Requirements (AT): None
  • Privileges Required (PR): High
  • User Interaction (UI): None
    • Vulnerable System Impact
  • Confidentiality Impact (VC): High
  • Integrity Impact (VI): High
  • Availability Impact (VA): High
    • Subsequent System Impact
  • Confidentiality Impact (SC): None
  • Integrity Impact (SI): None
  • Availability Impact (SA): None
Affected Products


SANYO DENKI CO., LTD.
  • SANUPS SOFTWARE Ver.2.0.0 to Ver.2.0.2
  • SANUPS SOFTWARE Ver.1.0.0 to Ver.1.1.4
  • SANUPS SOFTWARE STANDALONE Ver.1.0.1 to Ver.1.1.4

Impact

A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege.
Solution

[Update the Software]
Update the software to the latest version according to the information provided by the developer.
The developer has released the following versions to fix the vulnerability.
  • For SANUPS SOFTWARE STANDALONE Ver.1.0.1 and Ver.1.1.0 to Ver.1.1.4
    • SANUPS SOFTWARE STANDALONE Ver.1.1.5
  • For SANUPS SOFTWARE Ver.2.0.0 to Ver.2.0.2
    • SANUPS SOFTWARE Ver.2.0.3
For SANUPS SOFTWARE Ver.1.0.0 to Ver.1.1.4, replace it with Ver.3.0.1. For more information, refer to the information provided by the developer.
Vendor Information

SANYO DENKI CO., LTD.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2026-33253
References

  1. JVN : JVN#90835713
Revision History

  • [2026/03/25]
      Web page was published

Date Public2026/03/25
Date First Published2026/03/25
Date Last Updated2026/03/25