Published:2025/04/10  Last Updated:2025/04/10

JVN#30641875
Multiple vulnerabilities in BizRobo!

Overview

BizRobo! provided by OPEN, Inc. contains multiple vulnerabilities.

Products Affected

CVE-2025-31362, CVE-2025-31932

  • BizRobo! all versions
CVE-2013-7285
  • BizRobo! versions v11.1 and earlier

Description

BizRobo! is an RPA (Robotic Process Automation) software provided by OPEN, Inc. Users compile an automation flow using DesignStudio, a development application that runs on Windows, and create robot files. A web application Management Console is provided to schedule RPA execution and to check the execution logs.

BizRobo! contains multiple vulnerabilities listed below.

  • Use of hard-coded cryptographic key (CWE-321)
    • CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score 3.7
    • CVE-2025-31362
    • Robot files may contain credential information. Those credentials are encrypted with the same single key.
  • Deserialization of untrusted data in the import function (CWE-502)
    • CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 7.2
    • CVE-2013-7285
    • Management Console contains the old version of XStream library, vulnerable to untrusted data deserialization.
  • Deserialization of untrusted data in Design Studio license authorization (CWE-502)
    • CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score 8.8
    • CVE-2025-31932
    • Management Console works as the licensing server for Design Studio, and it is vulnerable to untrusted data deserialization.

Impact

  • Credentials inside robot files may be obtained if the encryption key is available (CVE-2025-31362)
  • Arbitrary code is executed on the Management Console (CVE-2013-7285, CVE-2025-31932)

Solution

CVE-2025-31362, CVE-2025-31932
Apply the workaround
Apply the workaround according to the information provided by the developer.

CVE-2013-7285
Update the software or Apply the workaround
The patch support period for the affected versions has ended. The developer recommends updating to the latest version.
If there is any problem on updating the affected product, the developer recommends applying the workaround.

For more information, refer to the information provided by the developer.

Vendor Status

Vendor Link
OPEN, Inc. Vulnerability of using hard-coded cryptographic key (Text in Japanese)
Use of the Java XStream library which has the known vulnerability (Text in Japanese)
Arbitrary code execution on the MC license server due to Java deserialization at Design Studio license authentication by a user (Text in Japanese)
BizRobo! support period (Text in Japanese, login required)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Masamu Asato of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2025-31362
CVE-2025-31932
JVN iPedia JVNDB-2025-000026