Japan’s Computer Emergency Response Team (CERT) has issued a security advisory warning about ongoing exploitation of zero-day vulnerabilities in I-O Data’s UD-LT1 and UD-LT1/EX LTE routers widely used across Japan.
The three flaws (CVE-2024-45841, CVE-2024-47133, CVE-2024-52564) are information disclosure, remote arbitrary OS command execution, and the ability to disable firewalls. If exploited, the flaws allow attackers to alter device settings, execute arbitrary commands, and disable the firewall. The vendor confirmed that some users have already reported exploitation of these flaws in real-world attacks.
The company has released firmware version v2.1.9, which addresses only CVE-2024-52564. Fixes for the remaining vulnerabilities (CVE-2024-45841 and CVE-2024-47133) are expected in firmware version v2.2.0, scheduled for release on December 18, 2024. Until then, users are advised to implement the following mitigations:
Disable Remote Management: Turn off this feature for all internet connection methods, including WAN Port, Modem, and VPN settings.
Restrict Access: Allow access only from VPN-connected networks to block unauthorized external connections.
Strengthen Passwords: Change the default "guest" user password to a complex one with at least 10 characters.
Monitor Device Settings: Regularly check for unauthorized changes and reset devices to factory defaults if suspicious activity is detected.