Ongoing attacks leveraging a trio of zero-day flaws impacting I-O Data routers were disclosed by the Japanese computer peripheral products manufacturer, reports SecurityWeek.
Most severe of the vulnerabilities is the undocumented features inclusion issue, tracked as CVE-2024-52564, which could be exploited to facilitate remote firewall deactivation, device setting manipulation, and arbitrary OS command execution, according to Japan's Computer Emergency Response Team Coordination Center. Also exploited are the CVE-2024-47133 and CVE-2024-45841 flaws, which could be abused to execute arbitrary OS commands with escalated privileges and allow potential authentication data compromise, respectively. Additional details regarding the zero-day exploits, which were disclosed by National Institute of Information and Communications Technology and 00One, Inc. researchers, have not been provided and while I-O Data has already resolved CVE-2024-52564 with an update to version 2.1.9 of the router, it is expected to release fixes for the two remaining bugs on Dec. 18 at the earliest.
