CVE-2025-25211
Published: 31 March 2025
Description
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
Security Summary
CVE-2025-25211 is a weak password requirements vulnerability, classified under CWE-521, affecting all versions of the CHOCO TEI WATCHER mini (IB-MCT001) device. Published on March 31, 2025, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites for exploitation.
The vulnerability enables remote attackers with no privileges or user interaction to perform brute-force attacks against weak password policies, resulting in unauthorized access and login to the device. Exploitation could lead to high-impact compromise of confidentiality, integrity, and availability, such as unauthorized control over the monitoring functions of the affected hardware.
Advisories from JVN (JVNVU#91154745), CISA (ICS-A-25-084-04), vendor Inaba (chocomini_vulnerability.pdf), and Nozomi Networks detail mitigation strategies, with the latter noting unpatched vulnerabilities in production-line cameras that may enable remote surveillance and hinder stoppage recording. Security practitioners should consult these references for patch availability and hardening guidance.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Weak password requirements (CWE-521) directly enable remote brute-force attacks for unauthorized access without privileges or interaction.