[Update notice] HMI View Jet C-more series

Mar. 24, 2025

1.Overview

Multiple vulnerabilities were found in HMI View Jet C-more series. We will inform you of the contents and how to deal with them.
Please confirm the contents and apply the follow solution.

2.Products Affected

The following products are affected by the vulnerability.

Products Firmware Version
EA7-S6M-S All Versions
EA7-S6C-S All Versions
EA7-T6C-S All Versions
EA7-T8C-S All Versions
EA7-T10C-S All Versions
EA7-T10C-SG All Versions
EA7-T12C-S All Versions
EA7-T15C-S All Versions

3.Description

HMI View Jet C-more series contain multiple vulnerabilities listed below.

3-1.Improper Restriction of Rendered UI Layers or Frames (CWE-1021)

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base score: 4.3
CVE-2025-24310

3-2.Denial-of-service (DoS) vulnerability in FTP service (CWE-770)

CVSS v3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Base score: 5.3
CVE-2025-24317

3-3.Denial-of-service (DoS) vulnerability in Web service (CWE-770)

CVSS v3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Base score: 5.3
CVE-2025-24317

3-4.Denial-of-service (DoS) vulnerability in Remote Access service (CWE-770)

CVSS v3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Base score: 5.3
CVE-2025-24317

3-5.Unintended Proxy or Intermediary (‘Confused Deputy’) (CWE-441)

CVSS v3 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N Base score: 5.8
CVE-2025-25061

3-6.Weak Encoding for Password (CWE-261)

CVSS v3 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Base score: 6.5
CVE-2025-26401

4.Impact

A third party may be able to perform a clickjacking attack via crafted transparent or opaque elements on website.
A remote attacker may be able to cause a denial of service (DoS) condition by sending specially crafted packets to specific ports. A denial of service (DoS) may cause the service to stop. Restarting the HMI is required to recover from a stopped service.
It could be used in an FTP bounce attack that uses the HMI as a relay point to attack another host.
Weak encoding of credentials can lead to compromise of systems where passwords are used. An attacker could gain access to project files to obtain stored passwords or change passwords to arbitrary ones.

5.Mitigations and Protections

When connecting the HMI to the Internet, use a firewall or virtual private network (VPN) to prevent unauthorized access.
Reduce the risk of attack by making it accessible only within internal network.
Keep project files in a secure location where they cannot be accessed by third parties.