Three zero-day vulnerabilities have been discovered in I-O Data router devices (UD-LT1 and UD-LT1/EX models), affecting Japanese networks. The flaws allow attackers to:
Critical Vulnerabilities:
1. CVE-2024-45841: Access sensitive files through misconfigured permissions
2. CVE-2024-47133: Execute arbitrary OS commands through admin authentication
3. CVE-2024-52564: Disable firewalls and modify settings without authentication
Current Status:
– Only CVE-2024-52564 is fixed in firmware v2.1.9
– Complete fixes scheduled for v2.2.0 (December 18, 2024)
– Active exploitation reported by customers
Recommended Mitigations:
1. Disable Remote Management
2. Limit access to VPN-connected networks
3. Change default guest password (10+ characters)
4. Monitor device settings regularly
5. Reset to factory defaults if compromise suspected
Affected Devices:
– UD-LT1 and UD-LT1/EX LTE routers
– Primarily used in Japan
– Compatible with NTT Docomo, KDDI, and major MVNO SIM cards