CVE-2025-26689
Published: 31 March 2025
Summary
CVE-2025-26689 is a critical-severity Forced Browsing (CWE-425) vulnerability in Jvn (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2025-26689 is a forced browsing vulnerability (CWE-425) affecting all versions of CHOCO TEI WATCHER mini (IB-MCT001). The flaw permits remote attackers to submit crafted HTTP requests that bypass access controls, resulting in unauthorized retrieval or deletion of product data and modification of device settings. It carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.
Unauthenticated attackers with network access can exploit the issue to read, alter, or destroy data and configuration on the affected device. Because the product is an industrial monitoring camera used on production lines, successful exploitation could enable surveillance, disruption of recording functions, or tampering with operational settings without authentication.
Public advisories from JVN, CISA (ICSA-25-084-04), the vendor Inaba, and Nozomi Networks direct users to the vendor-supplied PDF for remediation guidance and note that the vulnerabilities remain unpatched in some deployments. The associated EPSS score has remained low, with a current value of 0.0137 and a peak of 0.0189.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8847
Vulnerability details
Direct request ('Forced Browsing') issue exists in CHOCO TEI WATCHER mini (IB-MCT001) all versions. If a remote attacker sends a specially crafted HTTP request to the product, the product data may be obtained or deleted, and/or the product settings may…
more
be altered.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a forced browsing vulnerability in the web interface of a publicly accessible monitoring device, allowing remote unauthenticated access to internal functions for data exposure and modifications, which directly maps to exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for logical access to system resources, directly preventing unauthorized forced browsing to sensitive product data and settings via crafted HTTP requests.
Monitors and controls communications at system boundaries, blocking remote attackers' crafted HTTP requests to vulnerable endpoints on the exposed web interface.
Validates information inputs such as HTTP requests, mitigating specially crafted requests that exploit the forced browsing vulnerability.