CVE-2025-32002

CVSS 9.3 CRITICALEPSS 1.7%CWE-78

In short

A security flaw in I-O DATA network hard drives (HDL-T Series, firmware v1.21 and earlier) allows anyone on the internet to run harmful commands on the device when Remote Link3 is enabled. This could let attackers take control of your data storage.

Technical detail

OS command injection vulnerability in I-O DATA HDL-T Series firmware affecting Remote Link3 function. An unauthenticated remote attacker can inject arbitrary OS commands through improper input sanitization. Exploitation requires Remote Link3 to be enabled, leading to complete system compromise and potential data exfiltration or destruction.

Summary generated and translated by AI from the official description.

Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier when 'Remote Link3 function' is enabled. If exploited, a remote unauthenticated attacker may execute an arbitrary OS command.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

I-O DATA DEVICE, INC. · HDL-T1NV I-O DATA DEVICE, INC. · HDL-T1WH I-O DATA DEVICE, INC. · HDL-T2NV I-O DATA DEVICE, INC. · HDL-T2WH I-O DATA DEVICE, INC. · HDL-T3NV I-O DATA DEVICE, INC. · HDL-T3WH I-O DATA DEVICE, INC. · HDL-TC1 I-O DATA DEVICE, INC. · HDL-TC500

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://jvn.jp/en/vu/JVNVU91726405/https://www.iodata.jp/support/information/2025/05_hdl-t/