CVE-2025-32738 is a vulnerability identified in the firmware of I-O DATA DEVICE, INC.'s network-attached storage (NAS) product, specifically the HDL-TC1 model within the HDL-T Series. The affected firmware versions are 1.21 and earlier. The core issue is a missing authentication mechanism for a critical function, which allows a remote attacker to change the device's settings without any authentication or user interaction. This vulnerability is remotely exploitable over the network, requiring no privileges or user interaction, making it relatively easy to exploit. Although the vulnerability does not directly impact confidentiality or availability, it compromises the integrity of the device's configuration. An attacker could potentially alter network settings, disable security features, or modify access controls, which could lead to further exploitation or persistent unauthorized access. The CVSS v3.1 base score of 5.3 (medium severity) reflects the moderate impact primarily on integrity with no confidentiality or availability impact. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that users should be vigilant and monitor for updates from the vendor. The vulnerability was published in May 2025 and is tracked by JPCERT, indicating recognition by a reputable security authority.

For European organizations, this vulnerability poses a moderate risk, especially for those relying on I-O DATA HDL-T Series NAS devices for critical data storage and network file sharing. The ability of an unauthenticated remote attacker to change device settings could lead to misconfigurations that weaken network security, such as disabling logging, altering user permissions, or redirecting network traffic. This could facilitate further attacks like data exfiltration, lateral movement within the network, or persistent backdoors. Organizations in sectors with stringent data protection requirements (e.g., finance, healthcare, government) may face compliance risks if such devices are compromised. Additionally, since NAS devices often store backups or sensitive files, integrity compromise could disrupt business continuity or lead to data loss indirectly. The lack of authentication requirement and remote exploitability increase the attack surface, particularly for devices exposed to less secure network segments or the internet.

European organizations using the I-O DATA HDL-T Series NAS devices should immediately inventory their deployments to identify affected firmware versions (1.21 and earlier). Until a vendor patch is available, network-level mitigations should be prioritized: restrict access to the NAS devices by implementing strict firewall rules limiting management interface exposure to trusted internal networks only. Employ network segmentation to isolate NAS devices from general user networks and the internet. Monitor network traffic and device logs for unusual configuration changes or unauthorized access attempts. If possible, disable remote management features temporarily. Organizations should subscribe to vendor advisories and apply firmware updates promptly once patches are released. Additionally, consider deploying intrusion detection/prevention systems (IDS/IPS) tuned to detect anomalous activity targeting NAS management protocols. Regularly back up device configurations and data to enable recovery in case of compromise.