Japan warns of IO-Data zero-day router flaws exploited in attacks
Japan's CERT is warning that hackers are exploiting zero-day vulnerabilities in I-O Data router devices to modify device settings, execute commands, or even turn off the firewall.
The vendor has acknowledged the flaws in a security bulletin published on its website. However, the fixes are expected to land on December 18, 2024, so users will be exposed to risks until then unless mitigations are enabled.
The vulnerabilities
The three flaws that were identified on November 13, 2024, are information disclosure, remote arbitrary OS command execution, and the ability to disable firewalls.
The issues are summarized as follows:
- CVE-2024-45841: Permissions on sensitive resources are misconfigured, allowing users with low-level privileges to access critical files. For example, a third party who knows the guest account credentials may access files containing authentication information.
- CVE-2024-47133: Allows authenticated administrative users to inject and execute arbitrary operating system commands on the device, exploiting insufficient input validation in configuration management.
- CVE-2024-52564: Undocumented features or backdoors in the firmware allow remote attackers to turn off the device firewall and modify settings without authentication.
The three issues impact UD-LT1, a hybrid LTE router designed for versatile connectivity solutions, and its industrial-grade version, UD-LT1/EX.
The latest available firmware version, v2.1.9, addresses only CVE-2024-52564, and I-O Data states that fixes for the other two vulnerabilities will be made available in v2.2.0, scheduled for release on December 18, 2024.
As the vendor confirmed in the bulletin, customers have already reported that the flaws are already exploited in attacks.
"Recently, we received inquiries from customers using our hybrid LTE routers' UD-LT1' and 'UD-LT1/EX', where access to the configuration interface was allowed from the internet without VPN," reads the I-O data security advisory.
"These customers reported potential unauthorized access from external sources."
Until the security updates are made available, the vendor suggests that users implement the following mitigation measures:
- Disable the Remote Management feature for all internet connection methods, including WAN Port, Modem, and VPN settings.
- Restrict access to only VPN-connected networks to prevent unauthorized external access.
- Change the default "guest" user's password to a more complex one with over 10 characters.
- Regularly monitor and verify device settings to detect unauthorized changes early, and reset the device to factory defaults and re-configure if a compromise is detected.
The I-O DATA UD-LT1 and UD-LT1/EX LTE routers are primarily marketed and sold within Japan, designed to support multiple carriers like NTT Docomo and KDDI, and are compatible with major MVNO SIM cards in the country.
Europol Dismantles Criminal Messaging Service MATRIX in Major Global Takedown
Six password takeaways from the updated NIST cybersecurity framework
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2024-50302 Linux Kernel Use of Uninitialized Resource Vulnerability
CVE-2025-0111 Palo Alto Networks PAN-OS File Read Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
InformationalCSP: Header & Meta
InformationalSec-Fetch-User Header Has an Invalid Value
LowStrict-Transport-Security Defined via META (Non-compliant with Spec)
MediumCRLF Injection
InformationalCross Site Scripting (Persistent) - Prime
Free online web security scanner
