CVE-2025-24517 Overview
CVE-2025-24517 affects the CHOCO TEI WATCHER mini (IB-MCT001), a production-line monitoring camera manufactured by Inaba Denki Sangyo. The device implements authentication on the client side rather than the server side [CWE-603]. A remote attacker can retrieve the product login password without prior authentication by interacting with the device over the network. All versions of the IB-MCT001 are affected. The flaw enables unauthorized access to the camera's management interface, exposing recorded video, configuration, and operational controls used on industrial production lines.
Critical Impact
A network-based attacker can obtain the device login password without authentication and gain full control of the production-line camera.
Affected Products
- Inaba Denki Sangyo CHOCO TEI WATCHER mini (IB-MCT001) — all versions
- Industrial monitoring deployments using IB-MCT001 cameras
- Production-line environments exposing the device to reachable networks
Discovery Timeline
- 2025-03-31 - CVE-2025-24517 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-24517
Vulnerability Analysis
The IB-MCT001 enforces login checks within client-side code rather than on the device's backend. The web management interface delivers the password, or material sufficient to derive it, to the requesting client before the user authenticates. An attacker who can reach the device on the network can request the relevant resource and read the credential directly from the response. Because authorization decisions occur in the browser, the server fulfills requests that should require an authenticated session.
Once the password is recovered, the attacker authenticates as a legitimate operator. From there, the attacker can view live and recorded footage from the production line, modify recording settings, or disable monitoring. In manufacturing environments, loss of trustworthy footage can hinder root-cause analysis of line stoppages and undermine safety review processes. The Nozomi Networks research describes the device's role in capturing micro-stoppage events that are otherwise difficult to investigate.
Root Cause
The root cause is the use of client-side authentication [CWE-603]. Authentication logic and password verification run in untrusted client code, while the server returns sensitive material before validating a session. Any client can bypass the check by reading the response or skipping the client-side gate entirely.
Attack Vector
Exploitation is network-based, requires no privileges, and requires no user interaction. An attacker who can reach the device's HTTP interface issues a request to the resource that exposes the password and parses the credential from the response. The attacker then logs in through the normal interface using the recovered password.
No verified public exploit code is published. See the JVN Security Advisory, CISA ICS Advisory ICSA-25-084-04, and the Nozomi Networks research for additional technical context.
Detection Methods for CVE-2025-24517
Indicators of Compromise
- Unexpected HTTP requests to the IB-MCT001 management interface from hosts outside the engineering or maintenance VLAN.
- Successful logins to the camera from new or unrecognized source IP addresses.
- Configuration changes, recording deletions, or service restarts on the device that do not correspond to scheduled maintenance.
Detection Strategies
- Inspect HTTP traffic to IB-MCT001 devices for requests to resources that return credential material before authentication.
- Correlate network flows with operator login activity to identify password retrieval followed by an authenticated session from the same source.
- Flag access to the device from any network segment that is not explicitly authorized to reach industrial monitoring assets.
Monitoring Recommendations
- Forward network telemetry covering OT segments into a centralized analytics platform for retention and query.
- Alert on first-seen source IPs communicating with IB-MCT001 hosts and on access outside maintenance windows.
- Monitor for downloads of configuration or video assets that exceed normal operational volume.
How to Mitigate CVE-2025-24517
Immediate Actions Required
- Remove the IB-MCT001 from any network reachable by untrusted hosts, including the internet and general corporate LAN.
- Place the device behind a firewall or industrial DMZ that restricts inbound access to known operator workstations.
- Audit recent access logs for unexpected logins and rotate any shared operational credentials reused elsewhere.
Patch Information
At the time of the latest NVD update, no vendor patch is referenced for CVE-2025-24517. Review the Inaba Chocomini Vulnerability advisory and CISA ICS Advisory ICSA-25-084-04 for the latest vendor guidance and any future firmware updates.
Workarounds
- Enforce network segmentation so the IB-MCT001 is reachable only from a dedicated management subnet.
- Require VPN access with multi-factor authentication for any remote operator who needs to view the camera.
- Disable or block the device's HTTP interface at the network layer when active monitoring is not required.
- Apply strict ACLs on switches and firewalls to limit source IPs allowed to communicate with the device.
# Example firewall rule restricting IB-MCT001 access to a management host
iptables -A FORWARD -s 10.10.20.5/32 -d 192.168.50.42/32 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d 192.168.50.42/32 -p tcp --dport 80 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
