CVE-2025-22450 Overview
CVE-2025-22450 is a firmware vulnerability affecting I-O Data UD-LT2 routers running firmware version 1.00.008_SE and earlier. The device contains an undocumented feature that a remote attacker can abuse to disable the LAN-side firewall and open specific ports. The flaw is categorized under CWE-1242, Inclusion of Undocumented Features, and exposes internal network services to the public internet.
Critical Impact
Remote attackers can disable the LAN-side firewall on UD-LT2 devices without authentication, exposing internal services and enabling lateral movement into trusted network segments.
Affected Products
- I-O Data UD-LT2 router firmware version 1.00.008_SE
- I-O Data UD-LT2 router firmware versions prior to 1.00.008_SE
- Deployments using UD-LT2 LTE/5G connectivity appliances on Japanese networks
Discovery Timeline
- 2025-01-22 - CVE-2025-22450 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-22450
Vulnerability Analysis
The UD-LT2 is a hybrid LTE/wired router used to provide redundant internet connectivity. The firmware ships with an undocumented feature that an unauthenticated remote attacker can invoke over the network. When triggered, the feature disables the LAN-side firewall and opens specific TCP/UDP ports toward the internal network.
This vulnerability falls under firmware design flaws. The undocumented feature was not disclosed in product documentation and therefore was not subject to standard hardening or access-control review. The result is integrity loss for the firewall configuration, while confidentiality and availability of the device itself remain intact.
Once the firewall is bypassed, internal services such as management interfaces, file shares, or industrial endpoints become reachable from the WAN. Attackers can pivot into the LAN, scan internal hosts, and stage follow-on exploitation against services that administrators assumed were protected by the device perimeter.
Root Cause
The root cause is the inclusion of hidden functionality in the firmware that was not documented and not protected by authentication. Vendor-internal features intended for support or provisioning remained reachable in production builds, providing a network-accessible control path to firewall configuration state.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker sends a crafted request to the affected device over the network to invoke the undocumented feature. The device processes the request, disables the LAN-side firewall, and opens predetermined ports. The attacker then connects directly to LAN-side services exposed through the now-open ports. Public technical details on the specific request format are restricted; refer to the JVN Security Bulletin and the I-O Data Support Update for vendor-supplied information.
Detection Methods for CVE-2025-22450
Indicators of Compromise
- Unexpected inbound TCP/UDP connections from internet sources to LAN-side hosts behind a UD-LT2 device
- Firewall rule state on the UD-LT2 transitioning to disabled without administrative action in device logs
- New listening services or port responses appearing on internal hosts when queried from the WAN interface
- UD-LT2 management logs showing requests to non-public or undocumented URI paths
Detection Strategies
- Compare current device firewall configuration against a known-good baseline on a recurring schedule
- Monitor WAN-side port scans of UD-LT2 IP addresses and correlate with subsequent inbound traffic to LAN hosts
- Inspect router syslog output for configuration changes that were not initiated by an authenticated administrator
- Apply network IDS signatures to detect anomalous management-plane traffic toward UD-LT2 devices
Monitoring Recommendations
- Forward UD-LT2 device logs to a centralized log platform and alert on firewall state transitions
- Enable NetFlow or IPFIX on upstream equipment to baseline traffic patterns to and from UD-LT2 devices
- Track exposed services on LAN hosts using periodic external port scans from outside the perimeter
- Alert on any external connection that successfully reaches a LAN host that should not be internet-reachable
How to Mitigate CVE-2025-22450
Immediate Actions Required
- Update UD-LT2 firmware to a version later than 1.00.008_SE as published in the I-O Data Support Update
- Inventory all UD-LT2 devices and verify firmware versions across the fleet
- Restrict WAN-side reachability of the UD-LT2 management plane using upstream access control lists
- Audit current firewall rules on each device and re-enable any rules that were silently disabled
Patch Information
I-O Data has published firmware updates and guidance for the UD-LT2. Administrators should consult the I-O Data Support Update and the JVN Security Bulletin for the fixed firmware version and installation procedure. Apply the update through the device management interface and verify the firmware version after reboot.
Workarounds
- Place the UD-LT2 behind an upstream firewall that enforces ingress filtering independent of the device configuration
- Block inbound traffic from untrusted sources to the UD-LT2 WAN interface where operationally feasible
- Segment LAN hosts behind the UD-LT2 so that critical services are not reachable even if the device firewall is disabled
- Disable remote management features that are not strictly required for operations
# Configuration example: upstream ACL to limit WAN exposure of UD-LT2 management
# Replace 203.0.113.10 with the UD-LT2 WAN address and 198.51.100.0/24 with authorized admin networks
access-list 100 permit tcp 198.51.100.0 0.0.0.255 host 203.0.113.10 eq 443
access-list 100 deny ip any host 203.0.113.10
access-list 100 permit ip any any
interface GigabitEthernet0/0
ip access-group 100 in
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
