JPCERT/CC has issued a warning regarding multiple vulnerabilities affecting STEALTHONE D220, D340, and D440 network storage servers, urging users to update their firmware immediately.
These vulnerabilities, identified as CVE-2025-20016, CVE-2025-20055, and CVE-2025-20620, range in severity and could allow attackers to execute arbitrary commands, gain unauthorized access, and even steal administrative passwords.
The vulnerabilities in detail:
-
CVE-2025-20016 (CVSS 7.2): This command injection vulnerability allows authenticated administrators to execute arbitrary OS commands on the affected device. While requiring admin access, this flaw could be exploited by malicious insiders or through compromised administrator accounts.
-
CVE-2025-20055 (CVSS 9.8): This critical command injection vulnerability is even more severe as it allows any attacker who can access the network storage device to execute arbitrary OS commands. This could lead to complete system compromise and data breaches.
-
CVE-2025-20620 (CVSS 7.5): This SQL injection vulnerability enables attackers to potentially obtain the administrative password for the web management interface. With this password, attackers gain full control of the device and its stored data.
Affected devices and firmware versions:
- STEALTHONE D220: Firmware v6.03.02 and earlier
- STEALTHONE D340: Firmware v6.03.02 and earlier
- STEALTHONE D440: Firmware v7.00.10 and earlier
What should you do?
Y’S Corporation has released firmware updates to address these vulnerabilities. Users of affected STEALTHONE devices are strongly advised to update to the latest firmware versions as soon as possible.
Related Posts:
- Zyxel Devices Targeted by Malicious Actors: Urgent Firmware Update Required
- Hacker group threatens to expose Nvidia driver and firmware data
- New VMware Findings: Kernel Drivers’ Vulnerabilities Risk Total Device Takeover
