[Japanese]

JVNDB-2026-000091

Seiko Solutions SkyBridge MB-A100/MB-A110 vulnerable to OS command injection

Overview

SkyBridge MB-A100/MB-A110 provided by Seiko Solutions Inc. contains the following vulnerability.
  • OS command injection (CWE-78) - CVE-2026-50043
Takeshi Kuramori and Kaori Takashima of National Institute of Information and Communications Technology, Cybersecurity Research Institute reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.2 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS v4 Severity
Base Metrics: 8.6 (High) [IPA Score]
  • Access Vector (AV): Network
  • Attack Complexity (AC): Low
  • Attack Requirements (AT): None
  • Privileges Required (PR): High
  • User Interaction (UI): None
  • Vulnerable System Impact
  • Confidentiality Impact (VC): High
  • Integrity Impact (VI): High
  • Availability Impact (VA): High
  • Subsequent System Impact
  • Confidentiality Impact (SC): None
  • Integrity Impact (SI): None
  • Availability Impact (SA): None
Affected Products


Seiko Solutions Inc.
  • SkyBridge MB-A100 firmware all versions
  • SkyBridge MB-A110 firmware all versions

Impact

An arbitrary OS command may be executed by an attacker who can log in to the product with an administrative privilege.
Solution

[Apply the Workaround]
SkyBridge MB-A100/MB-A110 is no longer supported, and no firmware update to address this vulnerability will be released.
If the affected product remains in use, apply the following workarounds to mitigate the impact of this vulnerability.
  • Change the default administrator password
  • Disable WebUI access
  • Restrict the IP addresses that can access the product from the WAN
  • Use a closed network
For more details, refer to the information provided by the developer.
Vendor Information

Seiko Solutions Inc.
CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2026-50043
References

  1. JVN : JVN#20721579
Revision History

  • [2026/07/01]
      Web page was published