Sato CL4/6NX Plus Printers OS Command Injection and Dangerous File Upload Vulnerabilities (CVE-2025-22469/22470)

Critical Vulnerability Information Vulnerability Overview Vulnerability ID: JVN#16547726 Affected Products: Sato Label Printers CL4/6NX Plus and CL4/6NX-J Plus series Release Date: August 6, 2025 Update Date: August 6, 2025 Affected Products CL4/6NX Plus, firmware versions below 1.15.5-r1 CL4/6NX-J Plus (Japanese model), firmware versions below 1.15.5-r1 Description Sato Label Printers CL4/6NX Plus and CL4/6NX-J Plus series are affected by the following vulnerabilities: OS Command Injection (CWE-78) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/Vi:L/VA:L/SC:N/SI:N/SA:N Base Score 6.9 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Base Score 7.3 - CVE-2025-22469 Unrestricted Dangerous File Type Upload (CWE-434) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/Vi:H/VA:H/SC:N/SI:N/SA:N Base Score 9.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 9.8 - CVE-2025-22470 Impact Remote attackers may execute arbitrary OS commands on the system with specific non-administrator user privileges (CVE-2025-22469) Remote attackers may execute arbitrary Lua scripts on the system with root privileges (CVE-2025-22470) Solution Firmware Update: Update the firmware to the latest version as per the developer’s guidance. Workaround: For users unable to apply updates, the developer has provided a workaround. References SATO Corporation Technical Advisory: Security vulnerability discovered in CL4/6NX Plus printers Additional Information CVE IDs: - CVE-2025-22469 - CVE-2025-22470 JVNDDB ID: JVNDDB-2025-000056

Goal Reached Thanks to every supporter — we hit 100%!

Sato CL4/6NX Plus Printers OS Command Injection and Dangerous File Upload Vulnerabilities (CVE-2025-22469/22470)