OS Command Injection Vulnerability in I-O DATA HDL-T Series Network Attached Hard Disk
CVE-2025-32002

9.3CRITICAL

Key Information:

Vendor: I-o Data Device, Inc.
Status: Hdl-tc1; Hdl-tc500; Hdl-t1nv; Hdl-t1wh
Vendor: CVE Published:; 15 May 2025

🔔 Create I-o Data Device, Inc. Vulnerability Alert

What is CVE-2025-32002?

A security flaw exists in the firmware of I-O DATA's HDL-T Series network attached hard disk, specifically in versions 1.21 and earlier, when the Remote Link3 function is enabled. This vulnerability allows a remote unauthenticated attacker to exploit the system, leading to arbitrary OS command execution. It poses a significant risk to the integrity and security of the affected systems, potentially allowing unauthorized access and control.

Affected Version(s)

HDL-T1NV Ver.1.21 and earlier

HDL-T1WH Ver.1.21 and earlier

HDL-T2NV Ver.1.21 and earlier

References

https://www.iodata.jp/support/information/2025/05_hdl-t/

https://jvn.jp/en/vu/JVNVU91726405/

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2025
Vulnerability Reserved
Apr 15, 2025