CVE-2025-20055

CVE-2025-20055 is an OS command injection vulnerability (CWE-78) in the network storage servers STEALTHONE D220 and D340 provided by Y'S Corporation. Published on January 14, 2025, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impact.

The vulnerability can be exploited over the network by an attacker who can access the affected product, requiring low attack complexity, no privileges, and no user interaction. Successful exploitation enables the execution of arbitrary OS commands, granting high-impact access to confidentiality, integrity, and availability of the system.

Advisories, including those from JVN at https://jvn.jp/en/vu/JVNVU99653331/, describe the issue in detail. Y'S Corporation has released firmware updates—version 6-03-03 for D220/D340 and v7-00-11 for D440—to mitigate the vulnerability, as noted at https://stealthone.net/product_info/d220-d340%e3%80%8cv6-03-03%e3%80%8d%e5%8f%8a%e3%81%b3d440%e3%80%8cv7-00-11%e3%83%95%e3%82%a1%e3%83%bc%e3%83%a0%e3%82%a6%e3%82%a7%e3%82%a2%e3%82%92%e3%83%aa%e3%83%aa%e3%83%bc%e3%82%b9%e8%87%b4/.