Published:2025/10/15  Last Updated:2025/10/15

JVN#22713803
Multiple RSUPPORT products may insecurely load Dynamic Link Libraries

Overview

Multiple RSUPPORT products may insecurely load Dynamic Link Libraries.

Products Affected

CVE-2025-26859

  • RemoteView PC Application Console versions prior to 6.0.2
CVE-2025-26860
  • RemoteCall Remote Support Program (for Operator) versions prior to 5.1.0
CVE-2025-26861
  • RemoteCall Remote Support Program (for Operator) versions prior to 5.3.0

Description

Multiple RSUPPORT products contain multiple vulnerabilities listed below.

  • RemoteView PC Application Console vulnerable to uncontrolled search path element (CWE-427)
    • CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.5
    • CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score 7.8
    • CVE-2025-26859
  • RemoteCall Remote Support Program (for Operator) vulnerable to uncontrolled search path element (CWE-427)
    • CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.5
    • CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score 7.8
    • CVE-2025-26860, CVE-2025-26861

Impact

If a crafted DLL is placed in the same folder with the affected product, it may cause an arbitrary code execution.

Solution

The developer released the fixed versions below in 2017.
CVE-2025-26859

  • RemoteView PC Application Console 6.0.2
CVE-2025-26860
  • RemoteCall Remote Support Program (for Operator) 5.1.0
CVE-2025-26861
  • RemoteCall Remote Support Program (for Operator) 5.3.0
No operation is required by users as the product is always upgraded to the latest version by the automatic update mechanism.

Service for RemoteView PC Application Consol, which is affected by CVE-2025-26859, ended on January 31, 2023.

Vendor Status

Vendor Link
RSUPPORT CO., LTD. Notice of termination of RemoteView PC application console service
RemoteCall Download

References

JPCERT/CC Addendum

These vulnerabilities were reported to IPA, and JPCERT/CC started coordination with the developer in 2017.
The developer released the fixed versions in 2017.
The coordination between JPCERT/CC and the developer completed and this JVN is published in 2025.

Vulnerability Analysis by JPCERT/CC

Credit

CVE-2025-26859
Eiji James Yoshida reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2025-26860, CVE-2025-26861
Eili Masami reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2025-26859
CVE-2025-26860
CVE-2025-26861
JVN iPedia JVNDB-2025-000085