Ryo Kamino

Name of the Vulnerable Software and Affected Versions: TB-eye network recorders and AHD recorders (affected versions not specified) Description: A buffer overflow issue exists in the affected devices. The CGI process may terminate abnormally when processing a specially crafted request. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: TB-eye network recorders (affected versions not specified) AHD recorders (affected versions not specified) Description: A problem of injection of system operating system commands exists in the mentioned devices. If this issue is exploited, an attacker who logs in to the device could execute an arbitrary system command. Recommendations: For TB-eye network recorders, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For AHD recorders, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: I-O DATA HDL-T Series versions 1.21 and earlier Description: The issue is related to a lack of authentication for critical functions in the firmware. This could allow a remote unauthenticated attacker to modify the product's configuration settings. Recommendations: For I-O DATA HDL-T Series versions 1.21 and earlier, consider restricting access to the device until a patch is available. As a temporary workaround, limit the exposure of the device to the network to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: I-O DATA HDL-T Series firmware versions 1.21 and earlier Description: The issue is related to the improper neutralization of special elements used in an OS command, also known as 'OS Command Injection'. This problem exists in the I-O DATA network attached hard disk 'HDL-T Series' firmware when the 'Remote Link3 function' is enabled. If exploited, a remote unauthenticated attacker may execute an arbitrary OS command. Recommendations: For I-O DATA HDL-T Series firmware versions 1.21 and earlier, update the firmware to a version that contains a fix for this issue as soon as possible. As a temporary workaround, consider disabling the 'Remote Link3 function' to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Deco BE65 Pro versions prior to Deco BE65 Pro(JP) V1 1.1.2 Build 20250123 Description: The issue is related to an OS command injection vulnerability. If exploited, it allows a user who can log in to the device to execute an arbitrary OS command. Recommendations: For versions prior to Deco BE65 Pro(JP) V1 1.1.2 Build 20250123, update to version Deco BE65 Pro(JP) V1 1.1.2 Build 20250123 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** FutureNet AS series (Industrial Routers) (affected versions not specified) **Description** An authentication bypass issue exists, allowing a remote unauthenticated attacker to obtain device information, such as the MAC address, by sending a specially crafted request. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FutureNet AS series (Industrial Routers) and FA series (Protocol Conversion Machine) (affected versions not specified) **Description** A buffer overflow issue exists, allowing a remote unauthenticated attacker to reboot the device by sending a specially crafted request. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** STEALTHONE D220/D340 versions up to 6.03.02 **Description** The issue is related to an OS command injection vulnerability in the network storage servers STEALTHONE D220/D340 provided by Y'S corporation. This vulnerability may allow a remote attacker to execute arbitrary OS commands if they can access the affected product. **Recommendations** For STEALTHONE D220/D340 versions up to 6.03.02, update to a version later than 6.03.02 to resolve the issue. As a temporary workaround, consider restricting access to the affected product to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** STEALTHONE D220/D340/D440 (affected versions not specified) **Description** A user with administrative privileges who logs in to the web management page of the affected product may execute an arbitrary OS command. The vulnerability is related to the lack of measures to neutralize special elements used in the OS command. This could allow a remote attacker to execute arbitrary commands. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** STEALTHONE D220/D340 versions up to 6.03.02 **Description** A SQL Injection vulnerability exists in the STEALTHONE D220/D340, allowing an attacker who can access the affected product to obtain the administrative password of the web management page. This issue is related to the lack of protection measures for the SQL query structure, which can be exploited by a remote attacker to gain unauthorized access to protected information. **Recommendations** For STEALTHONE D220/D340 versions up to 6.03.02, consider disabling access to the web management page until a patch is available. Restrict access to the administrative password to minimize the risk of exploitation. Avoid using the web management page for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AE1021 firmware versions 2.0.10 and earlier AE1021PE firmware versions 2.0.10 and earlier **Description** An issue exists due to the improper neutralization of special elements used in an OS command, which may allow a logged-in user to execute an arbitrary OS command using a crafted HTTP request. This issue is related to 'OS Command Injection'. **Recommendations** For AE1021 firmware versions 2.0.10 and earlier, consider disabling the ability to execute OS commands until a patch is available. For AE1021PE firmware versions 2.0.10 and earlier, restrict access to the vulnerable module to minimize the risk of exploitation. As a temporary workaround, avoid using crafted HTTP requests that may trigger the OS command injection issue until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: AE1021 versions 2.0.10 and earlier AE1021PE versions 2.0.10 and earlier Description: The issue exists due to the inclusion of undocumented features or 'chicken bits' in the firmware, which may allow a logged-in user to enable the telnet service. Recommendations: For AE1021 versions 2.0.10 and earlier, consider disabling the telnet service until a patch is available. For AE1021PE versions 2.0.10 and earlier, consider disabling the telnet service until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AE1021 versions 2.0.10 and earlier AE1021PE versions 2.0.10 and earlier **Description** A weak authentication issue exists, allowing the authentication to be bypassed with an undocumented specific string if the vulnerability is exploited. **Recommendations** For AE1021 versions 2.0.10 and earlier, update to a version later than 2.0.10 to resolve the issue. For AE1021PE versions 2.0.10 and earlier, update to a version later than 2.0.10 to resolve the issue. As a temporary workaround, consider restricting access to the authentication mechanism until a patch is available.

Name of the Vulnerable Software and Affected Versions: I-O Data Device UD-LT1 versions 2.1.8 and earlier I-O Data Device UD-LT1/EX versions 2.1.8 and earlier Description: The issue exists due to the inclusion of undocumented features, which can be exploited by a remote attacker to disable the firewall function of the affected products. This can result in the execution of arbitrary OS commands and/or alteration of the device's configuration settings. A remote attacker may bypass existing security restrictions and execute arbitrary commands. Recommendations: For I-O Data Device UD-LT1 versions 2.1.8 and earlier, update to a version later than 2.1.8 to resolve the issue. For I-O Data Device UD-LT1/EX versions 2.1.8 and earlier, update to a version later than 2.1.8 to resolve the issue. As a temporary workaround, consider restricting access to the device's configuration settings and monitoring the device's security logs for suspicious activity until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MZK-MF300N all firmware versions **Description** An active debug code vulnerability exists, allowing a logged-in user who knows how to use the debug function to perform unintended operations when accessing the device's management page. **Recommendations** For all firmware versions, consider disabling the debug function as a temporary workaround until a patch is available. Restrict access to the device's management page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MZK-MF300N all firmware versions **Description** A command injection issue allows a network-adjacent unauthenticated attacker to execute an arbitrary command by sending a specially crafted request to a certain port. **Recommendations** For all firmware versions, consider restricting access to the affected port as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ELECOM CO.,LTD. routers (affected versions not specified) LOGITEC CORPORATION routers (affected versions not specified) **Description** The issue is related to inadequate encryption strength in multiple routers, allowing a network-adjacent unauthenticated attacker to guess the encryption key used for wireless LAN communication and intercept the communication. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.