CVE-2025-20620

CVE-2025-20620 is a SQL injection vulnerability (CWE-89) present in the STEALTHONE D220 and D340 devices manufactured by Y'S Corporation. The issue affects the web management page of these products, allowing attackers to extract sensitive credentials.

With a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), the vulnerability enables remote exploitation over the network with low attack complexity, no required privileges, and no user interaction. An unauthenticated attacker who can access the affected device can leverage the SQL injection to obtain the administrative password for the web management page, potentially leading to full administrative control.

Advisories from JVN (https://jvn.jp/en/vu/JVNVU99653331/) and the vendor (https://stealthone.net/product_info/d220-d340%e3%80%8cv6-03-03%e3%80%8d%e5%8f%8a%e3%81%b3d440%e3%80%8cv7-00-11%e3%80%8d%e3%83%95%e3%82%a1%e3%83%bc%e3%83%a0%e3%82%a6%e3%82%a7%e3%82%a2%e3%82%92%e3%83%aa%e3%83%aa%e3%83%bc%e3%82%b9%e8%87%b4/) recommend applying firmware updates, including version 6.03.03 for D220/D340 and version 7.00.11 for related D440 models, to mitigate the vulnerability.