Multiple vulnerabilities in CHOCO TEI WATCHER mini
| Risk | High |
| Patch available | NO |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2025-24517 CVE-2025-24852 CVE-2025-25211 CVE-2025-26689 |
| CWE-ID | CWE-603 CWE-257 CWE-521 CWE-425 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
CHOCO TEI WATCHER mini (IB-MCT001) Hardware solutions / Firmware |
| Vendor | INABA DENKI SANGYO |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Use of Client-Side Authentication
EUVDB-ID: #VU105998
Risk: High
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-24517
CWE-ID:
CWE-603 - Use of Client-Side Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to use of client-side authentication. A remote attacker can obtain the product's login password without authentication.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCHOCO TEI WATCHER mini (IB-MCT001): All versions
CPE2.3 External linkshttps://jvn.jp/en/vu/JVNVU91154745/index.html
https://www.inaba.co.jp/files/chocomini_vulnerability.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Storing passwords in a recoverable format
EUVDB-ID: #VU106006
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-24852
CWE-ID:
CWE-257 - Storing Passwords in a Recoverable Format
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain access to sensitive information.
The vulnerability exists due to storing passwords in a recoverable format. An attacker with physical access can obtain the product's login password.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCHOCO TEI WATCHER mini (IB-MCT001): All versions
CPE2.3 External linkshttps://jvn.jp/en/vu/JVNVU91154745/index.html
https://www.inaba.co.jp/files/chocomini_vulnerability.pdf
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Weak password requirements
EUVDB-ID: #VU106007
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-25211
CWE-ID:
CWE-521 - Weak Password Requirements
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform brute-force attack and guess the password.
The vulnerability exists due to weak password requirements. A remote attacker can perform a brute-force attack and guess users' passwords.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCHOCO TEI WATCHER mini (IB-MCT001): All versions
CPE2.3 External linkshttps://jvn.jp/en/vu/JVNVU91154745/index.html
https://www.inaba.co.jp/files/chocomini_vulnerability.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Direct Request ('Forced Browsing')
EUVDB-ID: #VU106008
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-26689
CWE-ID:
CWE-425 - Direct Request ('Forced Browsing')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to forced browsing issue. A remote attacker can send a specially crafted HTTP request to obtain or delete the product's data and alter the settings.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCHOCO TEI WATCHER mini (IB-MCT001): All versions
CPE2.3 External linkshttps://jvn.jp/en/vu/JVNVU91154745/index.html
https://www.inaba.co.jp/files/chocomini_vulnerability.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
