What security vulnerabilities have been reported in the CHOCO TEI WATCHER mini (IB-MCT001)?

Inaba Denki Sangyo Co., Ltd. has reported multiple security vulnerabilities in their CHOCO TEI WATCHER mini (IB-MCT001) product, including critical severity flaws. These vulnerabilities include: CVE-2025-25211 (CVSS score 9.3) - Weak Password Requirements, CVE-2025-26689 (CVSS score 9.3) - Direct Request ('Forced Browsing'), CVE-2025-24517 (CVSS score 8.7) - Use of Client-Side Authentication, and CVE-2025-24852 (CVSS score 5.1) - Storing Passwords in a Recoverable Format.

What is CVE-2025-25211 vulnerability?

CVE-2025-25211 (CVSS score 9.3) is a Weak Password Requirements vulnerability. This vulnerability allows attackers to execute brute-force attacks resulting in unauthorized access and login due to insufficient password complexity requirements.

What is CVE-2025-26689 vulnerability?

CVE-2025-26689 (CVSS score 9.3) is a Direct Request ('Forced Browsing') vulnerability. If a remote attacker sends a specially crafted HTTP request to the product, they may obtain or delete the product's data and/or alter its settings.

What is CVE-2025-24517 vulnerability?

CVE-2025-24517 (CVSS score 8.7) is a Use of Client-Side Authentication vulnerability. The affected product performs authentication on the client side, which may allow an attacker to obtain the product's login password without authentication.

What is CVE-2025-24852 vulnerability?

CVE-2025-24852 (CVSS score 5.1) is a Storing Passwords in a Recoverable Format vulnerability. An attacker who can access the microSD card used on the product may obtain the product's login password.

What workarounds does Inaba Denki Sangyo Co., Ltd. recommend to mitigate these vulnerabilities?

Inaba Denki Sangyo Co., Ltd. recommends users implement the following workarounds: 1) Use the product only within LAN environments and block access from untrusted networks and hosts through firewalls. 2) When Internet access is required, use a firewall or virtual private network (VPN) to prevent unauthorized access, and restrict Internet access to minimum. 3) Restrict the product operation (including use/handling of microSD cards on the product) only to authorized users.

Advisory

Multiple vulnerabilities reported in Inaba Denki Sangyo CHOCO TEI WATCHER Mini, two critical

published: March 25, 2025

Take action: If you are using Inaba Denki Sangyo's CHOCO TEI WATCHER mini, be aware that it has several flaws and there are no patches. Make sure the devices are in isolated networks accessible only from trusted zones, ideally not connected to the internet. And make sure only authorized trusted users have physical access to them to work with them.

Learn More

Inaba Denki Sangyo Co., Ltd. has reported multiple security vulnerabilities in their CHOCO TEI WATCHER mini (IB-MCT001) product, including critical severity flaws. The CHOCO TEI WATCHER mini (IB-MCT001) is a compact monitoring device developed to analyze brief production interruptions, commonly referred to as “choco tei”, in manufacturing environments.

Vulnerability summary:

CVE-2025-25211 (CVSS score 9.3) - Weak Password Requirements - This vulnerability allows attackers to execute brute-force attacks resulting in unauthorized access and login due to insufficient password complexity requirements.
CVE-2025-26689 (CVSS score 9.3) - Direct Request ('Forced Browsing') - If a remote attacker sends a specially crafted HTTP request to the product, they may obtain or delete the product's data and/or alter its settings.
CVE-2025-24517 (CVSS score 8.7) - Use of Client-Side Authentication - The affected product performs authentication on the client side, which may allow an attacker to obtain the product's login password without authentication.
CVE-2025-24852 (CVSS score 5.1) - Storing Passwords in a Recoverable Format - An attacker who can access the microSD card used on the product may obtain the product's login password.

Successful exploitation of these vulnerabilities could allow attackers to obtain the product's login password, gain unauthorized access, tamper with the product's data, and modify product settings.

The flaws affect all versions of CHOCO TEI WATCHER mini (IB-MCT001)

Inaba Denki Sangyo Co., Ltd. recommends users implement the following workarounds to help mitigate the impacts of these vulnerabilities:

Use the product only within LAN environments and block access from untrusted networks and hosts through firewalls.
When Internet access is required, use a firewall or virtual private network (VPN) to prevent unauthorized access, and restrict Internet access to minimum.
Restrict the product operation (including use/handling of microSD cards on the product) only to authorized users.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. The vulnerabilities were reported to Inaba Denki Sangyo Co., Ltd. and CISA by Andrea Palanca of Nozomi Networks, with coordination by JPCERT/CC.

Multiple vulnerabilities reported in Inaba Denki Sangyo CHOCO TEI WATCHER Mini, two critical

Read More
Critical Authentication Bypass in PX4 Autopilot Allows Remote …
Multiple critical vulnerabilities reported in Festo industrial controllers
Schneider Electric Patches Critical Redis Vulnerabilities in Plant …
Samsung MagicINFO 9 server flaw actively exploited
Emerson fixes critical issues in Rosemount Gas Chromatograph