CVE-2025-26689
CVE-2025-26689
In short
An attacker can directly access or delete data and change settings on CHOCO TEI WATCHER mini devices by sending specially crafted requests, without needing permission. This is a serious flaw because these devices are exposed to the internet and anyone could exploit it.
Technical detail
A Forced Browsing vulnerability (CWE-425) in CHOCO TEI WATCHER mini (IB-MCT001) all versions allows unauthenticated remote attackers to access, modify, or delete sensitive data and alter product configuration via direct HTTP requests. The vulnerability requires no authentication or user interaction and affects all versions of the product.
Summary generated and translated by AI from the official description.
Direct request ('Forced Browsing') issue exists in CHOCO TEI WATCHER mini (IB-MCT001) all versions. If a remote attacker sends a specially crafted HTTP request to the product, the product data may be obtained or deleted, and/or the product settings may be altered.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Inaba Denki Sangyo Co., Ltd. · CHOCO TEI WATCHER mini (IB-MCT001)Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://jvn.jp/en/vu/JVNVU91154745/https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-04https://www.inaba.co.jp/files/chocomini_vulnerability.pdfhttps://www.nozominetworks.com/blog/unpatched-vulnerabilities-in-production-line-cameras-may-allow-remote-surveillance-hinder-stoppage-recording