Published:2025/12/08 Last Updated:2025/12/08
JVN#59242986
GS Yuasa FULLBACK Manager Pro registers Windows services with unquoted file paths
Overview
FULLBACK Manager Pro provided by GS Yuasa International Ltd. registers two Windows services with unquoted file paths.
Products Affected
- FULLBACK Manager Pro (for Windows) version 4.00 and earlier
- FULLBACK Manager Pro for Network (for Windows) version 3.00 and earlier
Description
FULLBACK Manager Pro provided by GS Yuasa International Ltd. contains the following vulnerability.
- Unquoted search path or element (CWE-428)
- CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.4
- CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 6.7
- CVE-2025-66461
Impact
A user may execute arbitrary code with SYSTEM privilege if he/she has the write permission on the path to the directory where the affected product is installed.
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| GS Yuasa International Ltd. | Vulnerability in power management software for uninterruptible power supplies (UPS) (Text in Japanese, PDF) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2025-66461 |
| JVN iPedia |
JVNDB-2025-000116 |