JVN#16547726
Multiple vulnerabilities in Sato label printers CL4/6NX Plus and CL4/6NX-J Plus series

Overview

Sato label printers CL4/6NX Plus and CL4/6NX-J Plus series provided by SATO Corporation contain multiple vulnerabilities.

Products Affected

• CL4/6NX Plus, firmware versions prior to 1.15.5-r1
• CL4/6NX-J Plus (Japan model), firmware versions prior to 1.15.5-r1

Description

Sato label printers CL4/6NX Plus and CL4/6NX-J Plus series provided by SATO Corporation contain multiple vulnerabilities listed below.

• OS command injection (CWE-78)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N Base Score 6.9
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Base Score 7.3
  • CVE-2025-22469
• Unrestricted upload of file with dangerous type (CWE-434)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 9.3
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 9.8
  • CVE-2025-22470

Impact

• A remote attacker may execute an arbitrary OS command on the system with a certain non-administrative user privilege (CVE-2025-22469)
• A remote attacker may execute an arbitrary Lua script on the system with root privilege (CVE-2025-22470)

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.

Apply workarounds
The developer provides workarounds for users who cannot apply the update.

Refer to the information provided by the developer for details.