#VU106008 Direct Request ('Forced Browsing') in CHOCO TEI WATCHER mini (IB-MCT001) - CVE-2025-26689

Cybersecurity Help s.r.o.

Published: 2025-03-25

Vulnerability identifier: #VU106008

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2025-26689

CWE-ID: CWE-425

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
CHOCO TEI WATCHER mini (IB-MCT001)
Hardware solutions / Firmware

Vendor: INABA DENKI SANGYO

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to forced browsing issue. A remote attacker can send a specially crafted HTTP request to obtain or delete the product's data and alter the settings.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CHOCO TEI WATCHER mini (IB-MCT001): All versions

External links
https://jvn.jp/en/vu/JVNVU91154745/index.html
https://www.inaba.co.jp/files/chocomini_vulnerability.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in CHOCO TEI WATCHER mini