Japan's CERT is warning that hackers are exploiting zero-day vulnerabilities in I-O Data router devices to modify device settings, execute commands, or even turn off the firewall.

The vendor has acknowledged the flaws in a security bulletin published on its website. However, the fixes are expected to land on December 18, 2024, so users will be exposed to risks until then unless mitigations are enabled.

The vulnerabilities

The three flaws that were identified on November 13, 2024, are information disclosure, remote arbitrary OS command execution, and the ability to disable firewalls.

The issues are summarized as follows:

• CVE-2024-45841: Permissions on sensitive resources are misconfigured, allowing users with low-level privileges to access critical files. For example, a third party who knows the guest account credentials may access files containing authentication information.
• CVE-2024-47133: Allows authenticated administrative users to inject and execute arbitrary operating system commands on the device, exploiting insufficient input validation in configuration management.
• CVE-2024-52564: Undocumented features or backdoors in the firmware allow remote attackers to turn off the device firewall and modify settings without authentication.

The three issues impact UD-LT1, a hybrid LTE router designed for versatile connectivity solutions, and its industrial-grade version, UD-LT1/EX.

The latest available firmware version, v2.1.9, addresses only CVE-2024-52564, and I-O Data states that fixes for the other two vulnerabilities will be made available in v2.2.0, scheduled for release on December 18, 2024.

As the vendor confirmed in the bulletin, customers have already reported that the flaws are already exploited in attacks.

"Recently, we received inquiries from customers using our hybrid LTE routers' UD-LT1' and 'UD-LT1/EX', where access to the configuration interface was allowed from the internet without VPN," reads the I-O data security advisory.

"These customers reported potential unauthorized access from external sources."

Until the security updates are made available, the vendor suggests that users implement the following mitigation measures:

• Disable the Remote Management feature for all internet connection methods, including WAN Port, Modem, and VPN settings.
• Restrict access to only VPN-connected networks to prevent unauthorized external access.
• Change the default "guest" user's password to a more complex one with over 10 characters.
• Regularly monitor and verify device settings to detect unauthorized changes early, and reset the device to factory defaults and re-configure if a compromise is detected.

The I-O DATA UD-LT1 and UD-LT1/EX LTE routers are primarily marketed and sold within Japan, designed to support multiple carriers like NTT Docomo and KDDI, and are compatible with major MVNO SIM cards in the country.