CVE-2025-26689
Published: 31 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26689 is a Direct request ('Forced Browsing') vulnerability, classified under CWE-425, affecting all versions of the CHOCO TEI WATCHER mini (IB-MCT001) device. This flaw enables unauthorized access to internal product functions through specially crafted HTTP requests, potentially exposing sensitive data or allowing unauthorized modifications.
The vulnerability can be exploited by any remote attacker over the network (AV:N) with low attack complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N), earning a CVSS v3.1 base score of 9.8 (C:H/I:H/A:H). Successful exploitation allows the attacker to obtain or delete product data and alter product settings, compromising confidentiality, integrity, and availability.
Advisories from JVN (JVNVU#91154745), CISA (ICS-A-25-084-04), manufacturer Inaba Denki Sangyo (chocomini_vulnerability.pdf), and Nozomi Networks detail the issue in the context of production line monitoring cameras. These references address risks such as remote surveillance and interference with stoppage recording functions.
The Nozomi Networks analysis highlights that vulnerabilities like this remain unpatched in deployed production line cameras, increasing exposure to remote attacks.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a forced browsing vulnerability in the web interface of a publicly accessible monitoring device, allowing remote unauthenticated access to internal functions for data exposure and modifications, which directly maps to exploitation of public-facing applications.