Published:2025/02/05  Last Updated:2025/02/05

JVN#66673020
Multiple vulnerabilities in Defense Platform Home Edition

Overview

Defense Platform Home Edition provided by Humming Heads Inc. contains multiple vulnerabilities.

Products Affected

  • Defense Platform Home Edition Ver.3.9.51.x and earlier versions

Description

Defense Platform Home Edition provided by Humming Heads Inc. contains multiple vulnerabilities listed below.

  • Improper handling of message in specific process (CWE-422)
    • CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Base Score 8.8
    • CVE-2025-20094
  • Execution with unnecessary privileges (CWE-250)
    • CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N Base Score 6.5
    • CVE-2025-22890
  • Improper handling of message in specific process (CWE-422)
    • CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N Base Score 6.5
    • CVE-2025-22894
  • Buffer overflow vulnerability in DeviceIoControl (CWE-120)
    • CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Base Score 8.8
    • CVE-2025-23236
  • NULL pointer dereference vulnerability in DeviceIoControl (CWE-476)
    • CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H Base Score 6.5
    • CVE-2025-24483
  • Argument injection vulnerability in DPprd.sys and DPavd.sys (CWE-88)
    • CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H Base Score 6.3
    • CVE-2025-24845

Impact

  • If an attacker sends a specially crafted message to the specific process of the Windows system where the product is running, an arbitrary code may be executed with SYSTEM privilege (CVE-2025-20094)
  • If an attacker performs a specific operation, SYSTEM privilege of the Windows system where the product is running may be obtained (CVE-2025-22890, CVE-2025-23236)
  • If an attacker sends a specially crafted message to the specific process of the Windows system where the product is running, arbitrary files in the system may be altered. As a result, an arbitrary DLL may be executed with SYSTEM privilege (CVE-2025-22894)
  • If an attacker provides a specially crafted data to the specific process of the Windows system where the product is running, the system may cause a Blue Screen of Death (BSOD), and as a result, cause a denial-of-service (DoS) condition (CVE-2025-24483, CVE-2025-24845)

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

Vendor Link
Humming Heads Inc. Purchase DeP Home Edition - Humming Heads (Text in Japanese)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

CVE-2025-20094, CVE-2025-22890, CVE-2025-22894, CVE-2025-23236, CVE-2025-24483
Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.

CVE-2025-24845
This vulnerability was reported to IPA under the Information Security Early Warning Partnership, and JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2025-20094
CVE-2025-22890
CVE-2025-22894
CVE-2025-23236
CVE-2025-24483
CVE-2025-24845
JVN iPedia JVNDB-2025-000008