Published:2024/02/29  Last Updated:2024/02/29

Protection mechanism failure in RevoWorks


RevoWorks SCVX and RevoWorks Browser provided by J's Communications Co., Ltd. contain a protection mechanism failure vulnerability.

Products Affected

  • RevoWorks SCVX prior to scvimage4.10.21_1013
  • RevoWorks Browser prior to 2.2.95
Note that the products are affected by this vulnerability only when VirusChecker or ThreatChecker feature is being used.


RevoWorks SCVX and RevoWorks Browser provided by J's Communication Co., Ltd. enable users to execute web browsers in the sandboxed environment isolated from the client's local environment.
In the products, file exchange between the sandboxed environment and local environment is prohibited in principle, but by using the optional "VirusChecker" or "ThreatChecker" feature and changing the policy settings, files checked for viruses by these features in the sandboxed environment can be permitted to be downloaded to the local environment.

However, there is a vulnerability (CWE-693) in the products where malware detection is failed when data containing malware is saved in a specific file format (eml, dmg, vhd, iso, msi) in the sandboxed environment


If data containing malware is saved in a specific file format, malware may be taken outside the sandboxed environment.


Update the software
Update the software to the latest version according to the information provided by the developer.
The developer addressed the vulnerability in the following versions:

  • RevoWorks SCVX scvimage4.10.21_1013
  • RevoWorks Browser 2.2.95
Apply the workaround
Applying the following workaround may avoid the impact of this vulnerability.
  • Do not use "VirusChecker" and "ThreatChecker" features


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Base Score: 2.7
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
Base Score: 4.3
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)


J's Communication Co., Ltd. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and J's Communication Co., Ltd. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2024-25091
JVN iPedia JVNDB-2024-000025