Published:2025/09/18  Last Updated:2025/09/18

JVNVU#93403671
OMRON SOCIAL SOLUTIONS Uninterruptible Power Supply (UPS) management application registers a Windows service with an unquoted file path

Overview

Uninterruptible Power Supply (UPS) management application provided by OMRON SOCIAL SOLUTIONS Co., Ltd. registers a Windows service with an unquoted file path.

Products Affected

  • PowerAttendant Standard Edition (Windows version)
    • Ver. 2.0.0 or lower (Currently available)
  • PowerAttendant Basic Edition (Windows version)
    • Ver. 1.1.0 or lower (Currently available)
  • PowerAct Pro (Windows version) <Slave Agent>
    • Ver. 5.20 or lower (Currently available)
  • PowerAct Pro (Windows version) <Master Agent>
    • Ver. 5.17 or lower (End of support)
  • Simple Shutdown Software (Windows version)
    • Ver. 2.51 or lower (End of support)
For more information, refer to the information provided by the developer.

Description

Uninterruptible Power Supply (UPS) management application provided by OMRON SOCIAL SOLUTIONS Co., Ltd. registers a Windows service with an unquoted file path (CWE-428, CVE-2025-9818). 

Impact

A malicious file may be executed with the service account privileges if the installation folder path contains spaces.

Solution

Update the software
Apply the appropriate update that contains a fix for this vulnerability.

  • PowerAttendant Standard Edition (Windows version)
    • Ver. 2.1.0 September 17, 2025
  • PowerAttendant Basic Edition (Windows version)
    • Ver. 1.1.1 September 17, 2025
  • PowerAct Pro (Windows Version) Slave Agent
    • Ver. 5.21 September 17, 2025
Apply the patch
Apply the patch if the update cannot be applied.
  • PowerAttendant Standard Edition (Windows Version)
    • Ver. 2.0.0 or lower September 17, 2025
  • PowerAttendant Basic Edition (Windows Version)
    • Ver. 1.1.0 or lower September 17, 2025
Switch to alternative products
Users of the unsupported products should consider using the alternative products.
For the details of alternative products names/versions, refer to the information provided by the developer.
 

Vendor Status

Vendor Link
OMRON SOCIAL SOLUTIONS Co., Ltd. Vulnerability caused by unquoted file paths of Windows services registered by the Uninterruptible Power Supply (UPS) management application

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

OMRON SOCIAL SOLUTIONS Co., Ltd. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia