apan’s Computer Emergency Response Team (CERT) warns that attackers are actively exploiting zero-day vulnerabilities in I-O Data routers to alter device settings, execute arbitrary commands, and even disable the firewall.
In a security advisory posted on its website, I-O Data confirms the existence of three zero-day flaws, but admits that a complete fix is not yet available. A patched firmware release is tentatively scheduled for 18 December 2024, leaving users exposed to significant risk in the meantime.
The three zero-days—discovered on 13 November 2024—cover information disclosure, unauthenticated remote command execution, and a firewall-disabling flaw:
- CVE-2024-45841: Improper permissions on sensitive resources allow low-privileged users to access critical files.
- CVE-2024-47133: An authenticated administrator can inject and execute arbitrary operating-system commands due to insufficient input validation in configuration management.
- CVE-2024-52464: An undocumented feature (or backdoor) in the firmware lets a remote attacker disable the device firewall and change settings without any authentication.
Affected Models
The vulnerabilities impact the UD-LT1 hybrid-LTE router (designed for multi-purpose connectivity) and its industrial-grade sibling UD-LT1/EX.
Current Patch Status
Firmware v2.1.9—the latest available—only mitigates CVE-2024-52564. Fixes for the remaining two CVEs are slated for v2.2.0 on 18 December 2024. Worse, customers have already reported compromises linked to these flaws.
I-O Data’s advisory states: “We have received inquiries from customers using the UD-LT1 and UD-LT1/EX hybrid-LTE routers, reporting suspected unauthorized access from external sources.”
Recommended Mitigations (Until Patched)
- Disable all forms of remote management reachable from the Internet (WAN port, modem interface, VPN).
- Restrict administrative access to VPN-connected networks only.
- Replace the default “guest” user password with a complex one longer than 10 characters.
- Monitor configuration changes regularly; if compromise is suspected, factory-reset and reconfigure the device.
Enterprise users outside Japan can breathe a little easier: the UD-LT1 and UD-LT1/EX are sold almost exclusively in Japan, designed for carriers such as NTT Docomo and KDDI and compatible with major Japanese MVNO SIM cards.
