CVE-2025-32002 is a critical security vulnerability affecting the I-O DATA DEVICE, INC. network-attached storage (NAS) product HDL-TC1, specifically firmware versions 1.21 and earlier. The vulnerability arises from improper neutralization of special elements in OS commands, commonly known as OS Command Injection. This flaw exists when the 'Remote Link3 function' is enabled, allowing a remote attacker to inject arbitrary OS commands without authentication or user interaction. The vulnerability has a CVSS v3.1 score of 9.8, indicating a critical severity level with high impact on confidentiality, integrity, and availability. Exploitation requires no privileges and no user interaction, and can be performed remotely over the network. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system of the NAS device, potentially leading to full system compromise, data theft, data destruction, or use of the device as a pivot point for further network attacks. Although no known exploits are currently reported in the wild, the high severity and ease of exploitation make this a significant threat. The vulnerability was published on May 15, 2025, and has been assigned by JPCERT with enrichment from CISA. No official patches or mitigations have been linked yet, increasing the urgency for affected users to take protective measures.

For European organizations, this vulnerability poses a substantial risk, especially for those relying on I-O DATA HDL-TC1 NAS devices for critical data storage and remote access. Exploitation could lead to unauthorized data access or exfiltration, disruption of business operations due to device compromise or denial of service, and potential lateral movement within corporate networks. Given the remote and unauthenticated nature of the exploit, attackers could leverage this vulnerability to bypass perimeter defenses and gain footholds in enterprise environments. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government, could face severe regulatory and reputational consequences if sensitive data is compromised. Additionally, the ability to execute arbitrary OS commands could enable attackers to deploy ransomware or other malware, amplifying the operational impact. The lack of known exploits in the wild currently provides a window for proactive mitigation, but the critical severity demands immediate attention to prevent potential exploitation.

1. Immediate firmware upgrade: Organizations should monitor I-O DATA DEVICE, INC. official channels for firmware updates addressing this vulnerability and apply patches as soon as they become available. 2. Disable Remote Link3 function: Until a patch is applied, disable the Remote Link3 feature to eliminate the attack vector. 3. Network segmentation: Isolate affected NAS devices from untrusted networks and restrict access to trusted management networks only. 4. Implement strict firewall rules: Block inbound traffic to the NAS devices from untrusted external sources, especially targeting the ports used by Remote Link3. 5. Monitor logs and network traffic: Deploy intrusion detection systems to identify suspicious command execution attempts or anomalous network activity related to the NAS devices. 6. Incident response readiness: Prepare to respond quickly to any signs of compromise, including isolating affected devices and conducting forensic analysis. 7. Vendor communication: Engage with I-O DATA support to obtain guidance and confirm patch availability. 8. Inventory and asset management: Identify all HDL-TC1 devices in the environment to ensure comprehensive coverage of mitigation efforts.