OPEN BizRobo! Vulnerability Advisory: RCE via XStream Deserialization and Hardcoded Keys

Critical Vulnerability Information Vulnerability Overview JVN ID: JVN#30641875 Title: Multiple Vulnerabilities in BizRobo! Release Date: 2025/04/10 Update Date: 2025/04/10 Affected Products CVE-2025-31362, CVE-2025-31932: All versions of BizRobo! CVE-2013-7285: BizRobo! v11.1 and earlier versions Description Use of Hardcoded Encryption Key (CVE-321) - CVSSv3.0 Base Score: 3.7 - Robot files may contain credential information encrypted using the same single key. Deserialization of Untrusted Data in Import Function (CVE-502) - CVSSv3.0 Base Score: 7.2 - The management console includes an outdated version of the XStream library, vulnerable to deserialization of untrusted data. Deserialization of Untrusted Data in Design Studio Licensing (CVE-502) - CVSSv3.0 Base Score: 8.8 - The management console acts as a license server for Design Studio and is vulnerable to deserialization of untrusted data. Impact Credentials in robot files may be extracted if the encryption key is available (CVE-2025-31362) Arbitrary code execution on the management console (CVE-2013-7285, CVE-2025-31932) Solution CVE-2025-31362, CVE-2025-31932: Apply workarounds provided by the developer. CVE-2013-7285: Update the software or apply workarounds provided by the developer. Vendor Status Vendor: OPEN, Inc. Link: Provides Japanese documentation regarding hardcoded encryption keys, Java XStream library, and arbitrary code execution on the MC license server. References JPCERT/CC Addendum JPCERT/CC Vulnerability Analysis Acknowledgments Masamu Asato reported this vulnerability to IPA.

Goal Reached Thanks to every supporter — we hit 100%!

OPEN BizRobo! Vulnerability Advisory: RCE via XStream Deserialization and Hardcoded Keys