CVE-2025-26689 Inaba Denki Sangyo Co., Ltd. CVE debrief

Who should care

Organizations that operate or administer CHOCO TEI WATCHER mini (IB-MCT001), especially industrial, facility, or OT environments where the device is reachable over a network. Security teams should pay attention if the product is exposed beyond a trusted LAN, if remote access is enabled, or if operational data and settings are sensitive.

Technical summary

The advisory states that a remote attacker can exploit a specially crafted HTTP request against the product. The stated impact includes unauthorized data access, data deletion, and settings modification. The affected product scope in the CSAF is listed as vers:all/* for CHOCO TEI WATCHER mini (IB-MCT001), and the issue is presented as network-reachable with no user interaction required in the supplied CVSS vector. No fixed version is included in the supplied corpus; the published guidance emphasizes network isolation and access control as immediate mitigations.

Defensive priority

Highest priority for any environment where the device is reachable from untrusted networks or where its data and configuration are business-critical. Because the vulnerability is network-based, unauthenticated, and rated critical, exposure reduction and access restriction should be addressed immediately.

Recommended defensive actions

• Place the product only on a trusted LAN and block access from untrusted networks and hosts with firewalls.
• If Internet access is required, place the device behind a firewall or VPN and restrict exposure to the minimum necessary.
• Restrict product operation, including microSD card handling, to authorized users only.
• Review the associated vendor advisory and JVNVU#91154745 for any additional vendor guidance.
• Verify whether the device is reachable from any routed, remote, or third-party network segment and close unnecessary paths.
• Apply standard industrial control system defensive practices referenced by CISA for segmentation, access control, and monitoring.

Evidence notes

The CISA CSAF advisory for ICSA-25-084-04 states: "If a remote attacker sends a specially crafted HTTP request to the product, the product's data may be obtained or deleted, and/or the product's settings may be altered." The product tree identifies "Inaba Denki Sangyo Co., Ltd. CHOCO TEI WATCHER mini (IB-MCT001): vers:all/*" as affected. The remediations section recommends LAN-only use, blocking untrusted access, using a firewall or VPN when Internet access is required, and restricting operation to authorized users. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, matching the critical severity provided in the record.

Official resources