Multiple vulnerabilities in I-O DATA router UD-LT2

Overview

UD-LT2 provided by I-O DATA DEVICE, INC. contains multiple vulnerabilities.

Description

UD-LT2 provided by I-O DATA DEVICE, INC. contains multiple vulnerabilities listed below.

• OS Command Injection (CWE-78)
  • CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 7.2
  • CVE-2025-20617
• Inclusion of Undocumented Features (CWE-1242)
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Base Score 7.5
  • CVE-2025-22450
• OS Command Injection (CWE-78)
  • CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 6.6
  • CVE-2025-23237

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.
The developer has released the update listed below that addresses these vulnerabilities.

• UD-LT2 firmware Ver.1.00.011_SE

Credit

Takeshi Kuramori, Kaori Takashima, and Kohei Masumi of National Institute of Information and Communications Technology, Cybersecurity Research Institute reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.