JVN#15293958
Multiple vulnerabilities in I-O DATA router UD-LT2

Overview

UD-LT2 provided by I-O DATA DEVICE, INC. contains multiple vulnerabilities.

Products Affected

• UD-LT2 firmware Ver.1.00.008_SE and earlier

Description

UD-LT2 provided by I-O DATA DEVICE, INC. contains multiple vulnerabilities listed below.

• OS Command Injection (CWE-78)
  • CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 7.2
  • CVE-2025-20617
• Inclusion of Undocumented Features (CWE-1242)
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Base Score 7.5
  • CVE-2025-22450
• OS Command Injection (CWE-78)
  • CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 6.6
  • CVE-2025-23237

Impact

• An arbitrary OS command may be executed by an attacker who can access the affected product with an administrative account (CVE-2025-20617)
• A remote attacker may disable the LAN-side firewall function of the affected products, and open specific ports (CVE-2025-22450)
• If a user logs in to CLI of the affected product, an arbitrary OS command may be executed (CVE-2025-23237)

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.
The developer has released the update listed below that addresses these vulnerabilities.

• UD-LT2 firmware Ver.1.00.011_SE