JVNVU#91154745
Multiple vulnerabilities in CHOCO TEI WATCHER mini

Overview

CHOCO TEI WATCHER mini provided by Inaba Denki Sangyo Co., Ltd. contains multiple vulnerabilities.

Products Affected

• CHOCO TEI WATCHER mini (IB-MCT001) all versions

Description

CHOCO TEI WATCHER mini provided by Inaba Denki Sangyo Co., Ltd. contains multiple vulnerabilities listed below.

• Use of client-side authentication (CWE-603)
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score 7.5
  • CVE-2025-24517
• Storing passwords in a recoverable format (CWE-257)
  • CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score 4.6
  • CVE-2025-24852
• Weak password requirements (CWE-521)
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 9.8
  • CVE-2025-25211
• Forced browsing (CWE-425)
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 9.8
  • CVE-2025-26689

Impact

• A remote attacker may obtain the product's login password without authentication (CVE-2025-24517)
• An attacker who can access the microSD card used on the product may obtain the product's login password (CVE-2025-24852)
• Brute-force attack may allow an attacker unauthorized access and login (CVE-2025-25211)
• If a remote attacker sends a specially crafted HTTP request to the product, the product's data may be obtained or deleted, and/or the product's settings may be altered (CVE-2025-26689)

Solution

Apply the Workaround
The following workaround may mitigate the impacts of these vulnerabilities.

• Use the product within LAN and block access from untrusted networks and hosts through firewalls
• Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when internet access is required, and restrict internet access to minimum
• Restrict the product operation (including use/handling of microSD cards on the product) only to authorized users