Published:2025/08/08  Last Updated:2025/08/08

JVN#39636188
Multiple vulnerabilities in Mubit Powered BLUE 870

Overview

Powered BLUE 870 provided by Mubit co.,ltd. contains multiple vulnerabilities.

Products Affected

  • Powered BLUE 870 versions 0.20130927 and prior

Description

Powered BLUE 870 provided by Mubit co.,ltd. contains multiple vulnerabilities listed below.

  • OS command injection (CWE-78)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N Base Score 5.3
    • CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Base Score 6.3
    • CVE-2025-54958
  • Path traversal (CWE-22)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 5.3
    • CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score 4.3
    • CVE-2025-54959

Impact

  • Arbitrary OS commands may be executed on the affected product by an authenticated user (CVE-2025-54958)
  • An arbitrary file in the affected product may be accessed by an authenticated user (CVE-2025-54959)

Solution

Stop using the product and switch to alternative product
The developer states that the affected product is no longer supported, and recommends to use alternative unaffected product Powered BLUE 890.

Vendor Status

Vendor Link
Mubit co.,ltd. Powered BLUE 890(Text in Japanese)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

CVE-2025-54958
Yusuke SAKAI of Cyber Defense Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2025-54959
Satoshi Horikoshi of Cyber Defense Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2025-54958
CVE-2025-54959
JVN iPedia JVNDB-2025-000057