JVN#55395471: Oki Electric Industry products and OEM products register Windows services with unquoted file paths

Overview

Products provided by Oki Electric Industry Co., Ltd. and its OEM products (Ricoh Co., Ltd., Murata Machinery, Ltd.) register Windows services with unquoted file paths.

Products Affected

Multiple products are affected by this vulnerability. For details, see the "Vendor Status" section.

Description

Configuration Tool provided by Oki Electric Industry Co., Ltd., Ricoh Co., Ltd., and Murata Machinery, Ltd. contain the following vulnerability.

Unquoted search path or element (CWE-428)
- CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.4
- CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 6.7
- CVE-2026-24466

Impact

A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege.

Solution

For the solution, refer to the information provided by the vendor.

Vendor Status

Vendor	Link
Oki Electric Industry Co., Ltd.	Response to Vulnerability Caused by Unquoted Windows Service Executable File Paths (Text in Japanese)
	Security Information:SA-2026-0001
Ricoh Company, Ltd.	Specific Ricoh MFP and Printer Products - Response to Vulnerability Caused by Unquoted Windows Service Executable File Paths (Text in Japanese)
Murata Machinery, Ltd.	Mitigation for Vulnerabilities Caused by Unquoted Windows Service Executable Paths (Text in Japanese)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2026-24466
JVN iPedia	JVNDB-2026-000022

JVN#55395471 Oki Electric Industry products and OEM products register Windows services with unquoted file paths