Inaba Denki Sangyo CHOCO TEI WATCHER mini

Plan PatchCVSS 9.8ICS-CERT ICSA-25-084-04Mar 25, 2025

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in the Inaba Denki Sangyo CHOCO TEI WATCHER mini (IB-MCT001) allow an attacker to obtain the product's login password, gain unauthorized access, tamper with product data, and modify product settings. The vulnerabilities involve weak authentication mechanisms (CWE-603), improper storage of passwords (CWE-257, CWE-521), and use of an insufficiently random nonce (CWE-425). All versions of the product are affected, and the vendor has no plans to release a patch.

What this means

What could happen

An attacker could recover the product's login password and gain unauthorized access to the CHOCO TEI WATCHER mini, potentially allowing them to view sensitive data, alter equipment settings, or tamper with monitoring configurations that may affect operational visibility.

Who's at risk

This advisory affects organizations deploying the Inaba Denki Sangyo CHOCO TEI WATCHER mini (model IB-MCT001), which is a small-scale industrial monitoring device commonly used in manufacturing facilities, building automation systems, and utilities to collect and display process or environmental data. Any facility relying on this device for operational visibility or control is affected.

How it could be exploited

An attacker with network access to the device (or via the Internet if exposed) can exploit weak authentication mechanisms and credential storage flaws to extract the login password. Once credentials are obtained, the attacker gains administrative access to modify device settings, tamper with data, or disable monitoring functions.

Prerequisites

Network access to the CHOCO TEI WATCHER mini device (LAN or Internet if not firewalled)
No authentication credentials required for initial exploitation

remotely exploitableno authentication requiredlow complexityno patch availableweak credential storage

Exploitability

Some exploitation risk — EPSS score 1.8%

Affected products (1)

ProductAffected VersionsFix Status

CHOCO TEI WATCHER mini (IB-MCT001): vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/3

Do now

0/3

WORKAROUNDIsolate CHOCO TEI WATCHER mini to LAN only; block all inbound network access from untrusted networks and hosts using firewall rules.

HARDENINGIf Internet access is required, deploy a VPN gateway or firewall between the device and the Internet, and restrict external access to minimum necessary.

HARDENINGRestrict physical and operational access to the device to authorized personnel only; control and audit who can operate the device and handle any microSD cards.

CVEs (4)

CVE-2025-24517 CVE-2025-24852 CVE-2025-25211 CVE-2025-26689

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/734f2bc8-6aed-4caa-a31a-db8167ca6ef6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.