JVN#90757550
Multiple vulnerabilities in desknet's NEO
Overview
desknet's NEO provided by NEOJAPAN Inc. contains multiple vulnerabilities.
Products Affected
CVE-2025-24833
- desknet's NEO V4.0R1.0 to V9.0R2.0
- desknet's Web Server
- desknet's NEO V9.0R2.0 and earlier
- desknet's NEO V2.0R1.0 to V9.0R2.0
- desknet's NEO V4.0R1.0 to V9.0R2.0
Description
desknets NEO provided by NEOJAPAN Inc. contains multiple vulnerabilities listed below.
- Stored cross-site scripting (CWE-79)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 4.8
- CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4
- CVE-2025-24833, CVE-2025-54760, CVE-2025-55072
- Reflected cross-site scripting (CWE-79)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 5.1
- CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1
- CVE-2025-52583
- Stored cross-site scripting (CWE-79)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 4.6
- CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Base Score 4.8
- CVE-2025-54859
- Improper protection of alternate path in AppSuite (CWE-424)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 5.3
- CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score 4.3
- CVE-2025-58079
- Use of hard-coded cryptographic key (CWE-321)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 5.3
- CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/ Base Score 4.3
- CVE-2025-58426
Impact
- An arbitrary JavaScript may be executed in the web browser of the user of the product (CVE-2025-24833, CVE-2025-52583, CVE-2025-54760, CVE-2025-54859, CVE-2025-55072)
- Malicious AppSuite apps may be created by a remote authenticated attacker (CVE-2025-58079, CVE-2025-58426)
Solution
For CVE-2025-24833, CVE-2025-54760, CVE-2025-54859, CVE-2025-55072, CVE-2025-58079, CVE-2025-58426:
Update the Software
Update the software to the latest version according to the information provided by the developer.
For CVE-2025-52583:
Stop using desknet's Web Server and switch to IIS
The developer recommends that users stop using desknet's Web Server and switch to Internet Information Services (IIS). For more details, refer to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| NEOJAPAN Inc. | Vulnerable | 2025/10/16 | NEOJAPAN Inc. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
The following people reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2025-24833
Reporter: Sho Odagiri of GMO Cybersecurity by Ierae, Inc.
CVE-2025-52583, CVE-2025-54760
Reporter: Ryo Sato
CVE-2025-54859
Reporter: Ryo Sato and Daijiro Obata
CVE-2025-55072, CVE-2025-58079, CVE-2025-58426
Reporter: Kentaro Ishii of GMO Cybersecurity by Ierae, Inc.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2025-24833 |
|
CVE-2025-52583 |
|
|
CVE-2025-54760 |
|
|
CVE-2025-54859 |
|
|
CVE-2025-55072 |
|
|
CVE-2025-58079 |
|
|
CVE-2025-58426 |
|
| JVN iPedia |
JVNDB-2025-000074 |