Published:2025/09/18  Last Updated:2025/09/18
      
        JVNVU#93403671
        OMRON SOCIAL SOLUTIONS Uninterruptible Power Supply (UPS) management application registers a Windows service with an unquoted file path
              
      
      Overview
Uninterruptible Power Supply (UPS) management application provided by OMRON SOCIAL SOLUTIONS Co., Ltd. registers a Windows service with an unquoted file path.
Products Affected
- PowerAttendant Standard Edition (Windows version)
	- Ver. 2.0.0 or lower (Currently available)
 
- PowerAttendant Basic Edition (Windows version)
	- Ver. 1.1.0 or lower (Currently available)
 
- PowerAct Pro (Windows version) <Slave Agent>
	- Ver. 5.20 or lower (Currently available)
 
- PowerAct Pro (Windows version) <Master Agent>
	- Ver. 5.17 or lower (End of support)
 
- Simple Shutdown Software (Windows version)
	- Ver. 2.51 or lower (End of support)
 
Description
Uninterruptible Power Supply (UPS) management application provided by OMRON SOCIAL SOLUTIONS Co., Ltd. registers a Windows service with an unquoted file path (CWE-428, CVE-2025-9818).
Impact
A malicious file may be executed with the service account privileges if the installation folder path contains spaces.
Solution
Update the software
Apply the appropriate update that contains a fix for this vulnerability.
- PowerAttendant Standard Edition (Windows version)
	- Ver. 2.1.0 September 17, 2025
 
- PowerAttendant Basic Edition (Windows version)
	- Ver. 1.1.1 September 17, 2025
 
- PowerAct Pro (Windows Version) Slave Agent
	- Ver. 5.21 September 17, 2025
 
Apply the patch if the update cannot be applied.
- PowerAttendant Standard Edition (Windows Version)
	- Ver. 2.0.0 or lower September 17, 2025
 
- PowerAttendant Basic Edition (Windows Version)
	- Ver. 1.1.0 or lower September 17, 2025
 
Users of the unsupported products should consider using the alternative products.
For the details of alternative products names/versions, refer to the information provided by the developer.
Vendor Status
| Vendor | Link | 
| OMRON SOCIAL SOLUTIONS Co., Ltd. | Vulnerability caused by unquoted file paths of Windows services registered by the Uninterruptible Power Supply (UPS) management application | 
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
OMRON SOCIAL SOLUTIONS Co., Ltd. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
