Zero-Day Vulnerabilities in I-O Data Routers Exploited in Attacks

Japan’s CERT has issued a warning regarding hackers actively exploiting zero-day vulnerabilities in I-O Data routers, enabling them to modify device settings, execute commands, and disable firewalls.

The three vulnerabilities, disclosed on November 13, include:

• CVE-2024-45841 (CVSS score: 6.5): Improper access permissions to sensitive resources allow low-privileged users to access critical files. For instance, third parties with guest account credentials can retrieve authentication data.
• CVE-2024-47133 (CVSS score: 7.2): Authenticated administrators can inject and execute arbitrary operating system commands due to insufficient input validation during configuration management.
• CVE-2024-52564 (CVSS score: 7.5): Undocumented features or backdoors in the firmware enable remote attackers to disable firewalls and alter settings without authentication.

These flaws affect the UD-LT1 model (a hybrid LTE router) and its industrial counterpart, the UD-LT1/EX. The latest firmware version, v2.1.9, addresses CVE-2024-52564, while fixes for the remaining vulnerabilities are scheduled for the v2.2.0 release on December 18.

The manufacturer has acknowledged these issues in a published security bulletin, confirming that some customers have already been targeted in attacks exploiting these vulnerabilities. According to the bulletin, affected users allowed internet access to the configuration interface without employing a VPN. In several cases, unauthorized connections from external sources were detected.

Until updates are available, users are advised to take the following precautions to mitigate risks:

1. Disable the remote management feature for all connection methods, including the WAN port, modem, and VPN settings.
2. Restrict access to VPN-connected networks only, preventing unauthorized external connections.
3. Change the guest account password to a more complex one, with at least 10 characters.
4. Regularly review device settings for unauthorized changes, resetting the configuration to factory defaults and reconfiguring the device if suspicious activity is detected.

The UD-LT1 and UD-LT1/EX routers, designed for the Japanese market, are compatible with major carriers such as NTT Docomo and KDDI, as well as SIM cards from leading mobile virtual network operators (MVNOs) in the region.