December 5, 2024 at 11:53AM
I-O Data confirmed critical vulnerabilities in its routers, allowing remote attackers to disable firewalls and execute commands. Full patches will take weeks. Three flaws—CVE-2024-45841, CVE-2024-47133, and CVE-2024-52564—pose risks of information disclosure and command execution. A partial fix is available, with complete solutions expected by December 2024.
### Meeting Takeaways
1. **Zero-Day Exploitation Confirmed**: I-O Data has confirmed the exploitation of critical flaws in several of their router models.
2. **Critical Vulnerabilities**: The main concern is a flaw that allows remote attackers to disable firewalls, execute commands, and alter router configurations.
3. **Active Exploitation**: Incidents of attacks leveraging these vulnerabilities have been documented.
4. **Vulnerability Details**:
– **CVE-2024-45841**: Information could be stolen from a specific file accessed by someone with knowledge of the guest account. CVSS Score: 6.5.
– **CVE-2024-47133**: Allows arbitrary OS command execution by an admin user. CVSS Score: 7.2.
– **CVE-2024-52564**: Remote attackers can disable firewalls, execute OS commands, or modify settings. CVSS Score: 7.5.
5. **Firmware Update**: A firmware update (version 2.1.9) has been released to address one of the vulnerabilities, but full patches for CVE-2024-45841 and CVE-2024-47133 will not be available until at least December 18, 2024.
6. **No Public Details on Exploits**: Specifics on the zero-day exploits remain undisclosed, but they were reported by researchers from the National Institute of Information and Communications Technology and 00One, Inc.
7. **Coordination with Security Partnerships**: The situation is being coordinated through Japan’s Information Security Early Warning Partnership.
**Next Steps**: Monitor updates from I-O Data for the forthcoming patches and remain aware of potential risks associated with the identified vulnerabilities.