Inaba Denki Sangyo CHOCO TEI WATCHER mini

Act Now9.8ICS-CERT ICSA-25-084-04Mar 25, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in CHOCO TEI WATCHER mini (IB-MCT001) allow attackers to extract the device login password, gain unauthorized access, and tamper with product data and settings. The weaknesses stem from insecure credential storage (CWE-257, CWE-521), improper authentication mechanisms (CWE-603), and insufficient access controls (CWE-425). All versions of the product are affected and no patch has been released by the vendor.

What this means

What could happen

An attacker with network access could extract the device's login password, gain unauthorized access, and modify monitoring data or system settings. This could allow tampering with equipment status displays or disabling alerts in critical facility operations.

Who's at risk

Water treatment plants, municipal utilities, and industrial facilities using CHOCO TEI WATCHER mini (model IB-MCT001) for environmental monitoring or facility status tracking. Operators responsible for maintaining alert systems and equipment data integrity should prioritize mitigation.

How it could be exploited

An attacker with network reachability to the device could exploit credential storage or authentication weaknesses to extract the login password, then use those credentials to access the web interface or management functions and modify device configuration or data.

Prerequisites

Network access to the CHOCO TEI WATCHER mini device (typically port 80/443 or management interface)
Device must be reachable from the attacker's network segment
No valid credentials required for initial exploitation of authentication bypass or credential extraction

remotely exploitableno authentication required for initial exploitationlow complexity attackno patch availableaffects monitoring/safety visibility

Exploitability

Low exploit probability (EPSS 0.8%)

Affected products (1)

ProductAffected VersionsFix Status

CHOCO TEI WATCHER mini (IB-MCT001): vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to the device by deploying firewall rules to block all inbound connections from untrusted networks and hosts; allow only authorized management workstations

WORKAROUNDIf Internet access to the device is required, use a VPN or firewall to enforce a minimum viable connection policy; do not expose the device directly to the Internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGRestrict physical and logical access to the device and its microSD card to authorized personnel only

Mitigations - no patch available

0/1

CHOCO TEI WATCHER mini (IB-MCT001): vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate the monitoring device from general IT networks and untrusted hosts

CVEs (4)

CVE-2025-24517 CVE-2025-24852 CVE-2025-25211 CVE-2025-26689

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/734f2bc8-6aed-4caa-a31a-db8167ca6ef6