Article Details

Japan warns of IO-Data zero-day router flaws exploited in attacks. Japan's CERT is warning that hackers are exploiting zero-day vulnerabilities in I-O Data router devices to modify device settings, execute commands, or even turn off the firewall. The vendor has acknowledged the flaws in a security bulletin published on its website. However, the fixes are expected to land on December 18, 2024, so users will be exposed to risks until then unless mitigations are enabled. The vulnerabilities The three flaws that were identified on November 13, 2024, are information disclosure, remote arbitrary OS command execution, and the ability to disable firewalls. The issues are summarized as follows: The three issues impact UD-LT1, a hybrid LTE router designed for versatile connectivity solutions, and its industrial-grade version, UD-LT1/EX. The latest available firmware version, v2.1.9, addresses only CVE-2024-52564, and I-O Data states that fixes for the other two vulnerabilities will be made available in v2.2.0, scheduled for release on December 18, 2024. As the vendor confirmed in the bulletin, customers have already reported that the flaws are already exploited in attacks. "Recently, we received inquiries from customers using our hybrid LTE routers' UD-LT1' and 'UD-LT1/EX', where access to the configuration interface was allowed from the internet without VPN," reads the I-O data security advisory. "These customers reported potential unauthorized access from external sources." Until the security updates are made available, the vendor suggests that users implement the following mitigation measures: The I-O DATA UD-LT1 and UD-LT1/EX LTE routers are primarily marketed and sold within Japan, designed to support multiple carriers like NTT Docomo and KDDI, and are compatible with major MVNO SIM cards in the country.