CHOCO TEI WATCHER mini Devices Found Vulnerable to Critical Remote Exploits, CISA Warns
do son 
Image: Inaba Denki Sangyo Co., Ltd.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory alerting organizations to multiple critical vulnerabilities affecting the CHOCO TEI WATCHER mini (IB-MCT001)—a device manufactured by Inaba Denki Sangyo Co., Ltd. for use in industrial and manufacturing environments.
According to CISA’s advisory, exploitation of these flaws could have severe consequences: “Successful exploitation of these vulnerabilities could allow an attacker to obtain the product’s login password, gain unauthorized access, tamper with product’s data, and/or modify product settings.”
Four distinct vulnerabilities have been disclosed, each with varying severity:
- CVE-2025-24517 – Use of Client-Side Authentication (CVSS: 7.5)
The product improperly relies on client-side authentication, allowing an attacker to retrieve the login password without any authentication.
“The affected product is vulnerable to a use of client-side authentication vulnerability,” states the advisory.
- CVE-2025-24852 – Passwords Stored in Recoverable Format (CVSS: 4.6)
Login credentials are stored insecurely on the device’s microSD card, making them retrievable by anyone with physical access to the hardware.
- CVE-2025-25211 – Weak Password Requirements (CVSS: 9.8)
The device fails to enforce strong password policies, which could allow unauthorized access via brute-force attacks.
- CVE-2025-26689 – Direct Request (Forced Browsing) (CVSS: 9.8)
A remote attacker can craft HTTP requests to read, delete, or modify the device’s data and settings, without authentication.
These vulnerabilities affect all versions of CHOCO TEI WATCHER mini and pose a risk to the critical manufacturing sector, where the product is widely deployed. CISA emphasized that while no known public exploitation has been observed, the potential for significant operational disruption is real.
Although patches have not yet been released, Inaba Denki Sangyo has issued temporary mitigations:
- Use the device only within secured LAN environments, and block external access.
- Implement VPNs or firewalls when remote access is required.
- Restrict physical access and microSD card handling to authorized users only.
The full security guidance is available via JVNVU#91154745 and Inaba Denki’s advisory (PDF).
Related Posts:
- Millions at Risk: PoC Exploit Releases for Vite Arbitrary File Read Flaw (CVE-2025-30208)
- CVE-2025-2825: Critical Vulnerability in CrushFTP Exposes Servers to Unauthenticated Access Risk
- Splunk Alert: RCE and Data Leak Vulnerabilities Threaten Platforms
