Cyber Resilience

CVE-2025-26689

Critical

Published: 31 March 2025

Published
31 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0137 80.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26689 is a critical-severity Forced Browsing (CWE-425) vulnerability in Jvn (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2025-26689 is a forced browsing vulnerability (CWE-425) affecting all versions of CHOCO TEI WATCHER mini (IB-MCT001). The flaw permits remote attackers to submit crafted HTTP requests that bypass access controls, resulting in unauthorized retrieval or deletion of product data and modification of device settings. It carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.

Unauthenticated attackers with network access can exploit the issue to read, alter, or destroy data and configuration on the affected device. Because the product is an industrial monitoring camera used on production lines, successful exploitation could enable surveillance, disruption of recording functions, or tampering with operational settings without authentication.

Public advisories from JVN, CISA (ICSA-25-084-04), the vendor Inaba, and Nozomi Networks direct users to the vendor-supplied PDF for remediation guidance and note that the vulnerabilities remain unpatched in some deployments. The associated EPSS score has remained low, with a current value of 0.0137 and a peak of 0.0189.

EU & UK References

Vulnerability details

Direct request ('Forced Browsing') issue exists in CHOCO TEI WATCHER mini (IB-MCT001) all versions. If a remote attacker sends a specially crafted HTTP request to the product, the product data may be obtained or deleted, and/or the product settings may…

more

be altered.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes a forced browsing vulnerability in the web interface of a publicly accessible monitoring device, allowing remote unauthenticated access to internal functions for data exposure and modifications, which directly maps to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22732Shared CWE-425
CVE-2026-0790Shared CWE-425
CVE-2026-1978Shared CWE-425
CVE-2025-52024Shared CWE-425
CVE-2026-32867Shared CWE-425
CVE-2026-25679Shared CWE-425
CVE-2026-4532Shared CWE-425
CVE-2025-2147Shared CWE-425
CVE-2026-0650Shared CWE-425
CVE-2026-34056Shared CWE-425

Affected Assets

Jvn
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to system resources, directly preventing unauthorized forced browsing to sensitive product data and settings via crafted HTTP requests.

prevent

Monitors and controls communications at system boundaries, blocking remote attackers' crafted HTTP requests to vulnerable endpoints on the exposed web interface.

prevent

Validates information inputs such as HTTP requests, mitigating specially crafted requests that exploit the forced browsing vulnerability.

References