CVE-2025-20016

CVE-2025-20016 is an OS command injection vulnerability (CWE-78) in the web management page of network storage servers STEALTHONE D220, D340, and D440 provided by Y'S Corporation. Published on 2025-01-14, it enables an administrative user to execute arbitrary OS commands on the affected device.

The vulnerability can be exploited over the network by an authenticated user with administrative privileges accessing the web management interface, requiring low attack complexity and no additional user interaction. Successful exploitation results in high impacts to confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Advisories and mitigation details are available via JVNVU#99653331 at https://jvn.jp/en/vu/JVNVU99653331/ and firmware release notes for STEALTHONE D220/D340 v6-03-03 and D440 v7-00-11 at https://stealthone.net/product_info/d220-d340%e3%80%8cv6-03-03%e3%80%8d%e5%8f%8a%e3%81%b3d440%e3%80%8cv7-00-11%e3%80%8d%e3%83%95%e3%82%a1%e3%83%a1%e3%82%a6%e3%82%a7%e3%82%a2%e3%82%92%e3%83%aa%e3%83%aa%e3%83%bc%e3%82%b9%e8%87%b4/.