SS1 Firmware Vulnerabilities Advisory (CVE-2025-46409 etc): Unrestricted Upload/Path Traversal/Hardcoded Passwords

Critical Vulnerability Information Vulnerability Overview CVE IDs: CVE-2025-46409, CVE-2025-52460, CVE-2025-53396, CVE-2025-53970, CVE-2025-54762, CVE-2025-54819, CVE-2025-58072, CVE-2025-58081 Affected Products: - SS1 Ver.16.0.0.10 and earlier versions (Media version: 16.0.0a and earlier) - SS1 Cloud Ver.2.1.3 and earlier versions Vulnerability Description Insufficient Encryption Strength (CWE-326): - CVSS v3.0 Base Score: 8.7 - CVSS v3.1 Base Score: 7.5 - Related CVE: CVE-2025-46409 File or Directory Accessible to External Parties (CWE-552): - CVSS v3.0 Base Score: 6.9 - CVSS v3.1 Base Score: 5.3 - Related CVE: CVE-2025-52460 Incorrect Permission Assignment for Critical Resources (CWE-732): - CVSS v3.0 Base Score: 7.3 - CVSS v3.1 Base Score: 7.0 - Related CVE: CVE-2025-53396 Unrestricted Upload of Dangerous File Types (CWE-434): - CVSS v3.0 Base Score: 9.3 - CVSS v3.1 Base Score: 9.8 - Related CVEs: CVE-2025-53970, CVE-2025-54762 Path Traversal (CWE-22): - CVSS v3.0 Base Score: 7.1 - CVSS v3.1 Base Score: 6.5 - Related CVE: CVE-2025-54819 Path Traversal (CWE-22): - CVSS v3.0 Base Score: 7.7 - CVSS v3.1 Base Score: 7.5 - Related CVE: CVE-2025-58072 Use of Hard-coded Password (CWE-259): - CVSS v3.0 Base Score: 8.7 - CVSS v3.1 Base Score: 7.5 - Related CVE: CVE-2025-58081 Impact Remote attackers may access features requiring authentication. Uploaded files and SS1 configuration files may be accessed by remote attackers. Users may obtain root privileges via client terminals. Arbitrary files may be uploaded and executed as SYSTEM with any G5 command. Regular files may be overwritten by remote attackers. Arbitrary files may be viewed by remote attackers. Solution Update the software to the latest version, following the vendor’s recommendations. References JPCERT/CC Addendum Vulnerability analysis provided by JPCERT/CC

Goal Reached Thanks to every supporter — we hit 100%!

SS1 Firmware Vulnerabilities Advisory (CVE-2025-46409 etc): Unrestricted Upload/Path Traversal/Hardcoded Passwords