Japanese device maker I-O Data this week confirmed zero-day exploitation of critical flaws in multiple routers and warned that full patches won’t be available for a few weeks.

According to a warning from incident responders at JPCERT/CC, the most serious flaw opens the door for a remote attacker to disable the router’s firewall, execute commands, or alter configurations.

“The developer states that attacks exploiting these vulnerabilities have been observed,” according to the JPCERT/CC alert.

A separate bulletin from IO-Data documents three separate defects — CVE-2024-45841, CVE-2024-47133 and CVE-2024-52564 — and warns of additional information disclosure and command execution risks.

From the IO-Data advisory:

• CVE-2024-45841 — If a third party who knows the guest account of the device accesses a specific file, information including authentication information may be stolen. CVSS 6.5.
• CVE-2024-47133 — Arbitrary OS commands can be executed by a third party who can log in as an administrator user. CVSS 7.2.
• CVE-2024-52564: (Undocumented features inclusion) A remote third party may disable the firewall of the target device, execute arbitrary OS commands on the target device, or change the device settings. CVSS 7.5.

IO-Data, known for its PC peripherals and IOT devices, has shipped a firmware update (version 2.1.9) to fix one of the bugs but warned that fixes for CVE-2024-45841 and CVE-2024-47133 won’t be available until at least December 18, 2024.

There are no public details available on the zero-day exploits, which were reported by  researchers from the National Institute of Information and Communications Technology and 00One, Inc., and coordinated through Japan’s Information Security Early Warning Partnership.

Related: Sophisticated Cyberspies Target Middle East, Africa via Routers

Related: US Disrupts ‘Raptor Train’ Botnet of Chinese APT Flax Typhoon

Related: Researchers Discover 40,000-Strong EOL Router, IoT Botnet 

Related: US Gov Disrupts SOHO Router Botnet Used by Chinese APT Volt Typhoon