All the vulnerabilites related to INABA DENKI SANGYO CO., LTD. - CHOCO TEI WATCHER mini (IB-MCT001)
jvndb-2025-002592
Vulnerability from jvndb
Published
2025-03-26 13:25
Modified
2025-03-26 13:25
Severity ?
Summary
Multiple vulnerabilities in CHOCO TEI WATCHER mini
Details
CHOCO TEI WATCHER mini provided by Inaba Denki Sangyo Co., Ltd. contains multiple vulnerabilities listed below.
* Use of client-side authentication (CWE-603) - CVE-2025-24517
* Storing passwords in a recoverable format (CWE-257) - CVE-2025-24852
* Weak password requirements (CWE-521) - CVE-2025-25211
* Forced browsing (CWE-425) - CVE-2025-26689
Andrea Palanca of Nozomi Networks reported these vulnerabilities to the developer and CISA ICS.
JPCERT/CC coordinated with the reporter, CISA ICS, and the developer.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | https://jvn.jp/en/vu/JVNVU91154745/index.html | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2025-24517 | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2025-24852 | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2025-25211 | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2025-26689 | |
| ICS-CERT ADVISORY | https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-04 | |
| Related document | https://www.nozominetworks.com/blog/unpatched-vulnerabilities-in-production-line-cameras-may-allow-remote-surveillance-hinder-stoppage-recording | |
| Storing Passwords in a Recoverable Format(CWE-257) | https://cwe.mitre.org/data/definitions/257.html | |
| Direct Request ('Forced Browsing')(CWE-425) | https://cwe.mitre.org/data/definitions/425.html | |
| Weak Password Requirements(CWE-521) | https://cwe.mitre.org/data/definitions/521.html | |
| Use of Client-Side Authentication(CWE-603) | https://cwe.mitre.org/data/definitions/603.html |
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-002592.html",
"dc:date": "2025-03-26T13:25+09:00",
"dcterms:issued": "2025-03-26T13:25+09:00",
"dcterms:modified": "2025-03-26T13:25+09:00",
"description": "CHOCO TEI WATCHER mini provided by Inaba Denki Sangyo Co., Ltd. contains multiple vulnerabilities listed below.\r\n\r\n* Use of client-side authentication (CWE-603) - CVE-2025-24517\r\n* Storing passwords in a recoverable format (CWE-257) - CVE-2025-24852\r\n* Weak password requirements (CWE-521) - CVE-2025-25211\r\n* Forced browsing (CWE-425) - CVE-2025-26689\r\n\r\nAndrea Palanca of Nozomi Networks reported these vulnerabilities to the developer and CISA ICS.\r\nJPCERT/CC coordinated with the reporter, CISA ICS, and the developer.",
"link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-002592.html",
"sec:cpe": {
"#text": "cpe:/o:inaba:choco_tei_watcher_mini",
"@product": "CHOCO TEI WATCHER mini (IB-MCT001)",
"@vendor": "INABA DENKI SANGYO CO., LTD.",
"@version": "2.2"
},
"sec:cvss": {
"@score": "9.8",
"@severity": "Critical",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2025-002592",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU91154745/index.html",
"@id": "JVNVU#91154745",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-24517",
"@id": "CVE-2025-24517",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-24852",
"@id": "CVE-2025-24852",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-25211",
"@id": "CVE-2025-25211",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-26689",
"@id": "CVE-2025-26689",
"@source": "CVE"
},
{
"#text": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-04",
"@id": "ICSA-25-084-04",
"@source": "ICS-CERT ADVISORY"
},
{
"#text": "https://www.nozominetworks.com/blog/unpatched-vulnerabilities-in-production-line-cameras-may-allow-remote-surveillance-hinder-stoppage-recording",
"@id": "Unpatched Vulnerabilities in Production Line Cameras May Allow Remote Surveillance, Hinder Stoppage Recording",
"@source": "Related document"
},
{
"#text": "https://cwe.mitre.org/data/definitions/257.html",
"@id": "CWE-257",
"@title": "Storing Passwords in a Recoverable Format(CWE-257)"
},
{
"#text": "https://cwe.mitre.org/data/definitions/425.html",
"@id": "CWE-425",
"@title": "Direct Request (\u0027Forced Browsing\u0027)(CWE-425)"
},
{
"#text": "https://cwe.mitre.org/data/definitions/521.html",
"@id": "CWE-521",
"@title": "Weak Password Requirements(CWE-521)"
},
{
"#text": "https://cwe.mitre.org/data/definitions/603.html",
"@id": "CWE-603",
"@title": "Use of Client-Side Authentication(CWE-603)"
}
],
"title": "Multiple vulnerabilities in CHOCO TEI WATCHER mini"
}
cve-2025-26689
Vulnerability from cvelistv5
Published
2025-03-31 04:49
Modified
2025-03-31 15:58
Severity ?
EPSS score ?
Summary
Direct request ('Forced Browsing') issue exists in CHOCO TEI WATCHER mini (IB-MCT001) all versions. If a remote attacker sends a specially crafted HTTP request to the product, the product data may be obtained or deleted, and/or the product settings may be altered.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26689",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T15:58:43.306787Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T15:58:55.013Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CHOCO TEI WATCHER mini (IB-MCT001)",
"vendor": "Inaba Denki Sangyo Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Direct request (\u0027Forced Browsing\u0027) issue exists in CHOCO TEI WATCHER mini (IB-MCT001) all versions. If a remote attacker sends a specially crafted HTTP request to the product, the product data may be obtained or deleted, and/or the product settings may be altered."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-425",
"description": "Direct request (\u0027Forced Browsing\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T04:49:30.059Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.inaba.co.jp/files/chocomini_vulnerability.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU91154745/"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-04"
},
{
"url": "https://www.nozominetworks.com/blog/unpatched-vulnerabilities-in-production-line-cameras-may-allow-remote-surveillance-hinder-stoppage-recording"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-26689",
"datePublished": "2025-03-31T04:49:30.059Z",
"dateReserved": "2025-02-13T01:13:10.937Z",
"dateUpdated": "2025-03-31T15:58:55.013Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-24517
Vulnerability from cvelistv5
Published
2025-03-31 04:48
Modified
2025-03-31 12:59
Severity ?
EPSS score ?
Summary
Use of client-side authentication issue exists in CHOCO TEI WATCHER mini (IB-MCT001) all versions. If this issue is exploited, a remote attacker may obtain the product login password without authentication.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24517",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T12:59:27.616832Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T12:59:34.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CHOCO TEI WATCHER mini (IB-MCT001)",
"vendor": "Inaba Denki Sangyo Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Use of client-side authentication issue exists in CHOCO TEI WATCHER mini (IB-MCT001) all versions. If this issue is exploited, a remote attacker may obtain the product login password without authentication."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-603",
"description": "Use of client-side authentication",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T04:48:57.473Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.inaba.co.jp/files/chocomini_vulnerability.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU91154745/"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-04"
},
{
"url": "https://www.nozominetworks.com/blog/unpatched-vulnerabilities-in-production-line-cameras-may-allow-remote-surveillance-hinder-stoppage-recording"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-24517",
"datePublished": "2025-03-31T04:48:57.473Z",
"dateReserved": "2025-02-13T01:13:12.880Z",
"dateUpdated": "2025-03-31T12:59:34.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-24852
Vulnerability from cvelistv5
Published
2025-03-31 04:49
Modified
2025-03-31 16:02
Severity ?
EPSS score ?
Summary
Storing passwords in a recoverable format issue exists in CHOCO TEI WATCHER mini (IB-MCT001) all versions. If this issue is exploited, an attacker who can access the microSD card used on the product may obtain the product login password.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24852",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T16:01:40.322037Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T16:02:38.648Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CHOCO TEI WATCHER mini (IB-MCT001)",
"vendor": "Inaba Denki Sangyo Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Storing passwords in a recoverable format issue exists in CHOCO TEI WATCHER mini (IB-MCT001) all versions. If this issue is exploited, an attacker who can access the microSD card used on the product may obtain the product login password."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-257",
"description": "Storing passwords in a recoverable format",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T04:49:07.988Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.inaba.co.jp/files/chocomini_vulnerability.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU91154745/"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-04"
},
{
"url": "https://www.nozominetworks.com/blog/unpatched-vulnerabilities-in-production-line-cameras-may-allow-remote-surveillance-hinder-stoppage-recording"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-24852",
"datePublished": "2025-03-31T04:49:07.988Z",
"dateReserved": "2025-02-13T01:13:13.769Z",
"dateUpdated": "2025-03-31T16:02:38.648Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-25211
Vulnerability from cvelistv5
Published
2025-03-31 04:49
Modified
2025-03-31 16:01
Severity ?
EPSS score ?
Summary
Weak password requirements issue exists in CHOCO TEI WATCHER mini (IB-MCT001) all versions. If this issue is exploited, a brute-force attack may allow an attacker unauthorized access and login.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25211",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T16:00:36.292801Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T16:01:20.073Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CHOCO TEI WATCHER mini (IB-MCT001)",
"vendor": "Inaba Denki Sangyo Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Weak password requirements issue exists in CHOCO TEI WATCHER mini (IB-MCT001) all versions. If this issue is exploited, a brute-force attack may allow an attacker unauthorized access and login."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-521",
"description": "Weak password requirements",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T04:49:19.439Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.inaba.co.jp/files/chocomini_vulnerability.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU91154745/"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-04"
},
{
"url": "https://www.nozominetworks.com/blog/unpatched-vulnerabilities-in-production-line-cameras-may-allow-remote-surveillance-hinder-stoppage-recording"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-25211",
"datePublished": "2025-03-31T04:49:19.439Z",
"dateReserved": "2025-02-13T01:13:11.820Z",
"dateUpdated": "2025-03-31T16:01:20.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}