CVE-2025-66357 is a vulnerability identified in the CHOCO TEI WATCHER mini (IB-MCT001), a product by Inaba Denki Sangyo Co., Ltd., affecting all versions. The root cause is an improper check for unusual or exceptional conditions during the operation of the Video Download feature when the device is in a specific communication state. This flaw leads to abnormal consumption of the device's resources, which can degrade performance or cause denial of service (DoS) conditions by exhausting CPU, memory, or other critical resources. The vulnerability does not impact confidentiality or integrity, as it does not allow unauthorized data access or modification. The CVSS 3.0 base score is 5.3 (medium), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and affects availability (A:L) only. No authentication is required to exploit this vulnerability, increasing its risk profile. No known exploits have been reported in the wild, and no patches have been released by the vendor as of the publication date. The device is likely used in environments requiring video monitoring or IoT applications, where continuous availability is critical. The improper handling of exceptional states suggests a potential design or implementation flaw in the device's firmware or software stack managing video downloads and communication protocols. Attackers could remotely trigger the abnormal resource consumption, potentially leading to device crashes or service interruptions.

For European organizations, the primary impact of CVE-2025-66357 is on availability. Organizations relying on the CHOCO TEI WATCHER mini for video monitoring or IoT functions may experience service disruptions or device unavailability, which could affect operational continuity, especially in security-sensitive environments such as manufacturing, logistics, or critical infrastructure monitoring. Although confidentiality and integrity are not directly affected, the denial of service could indirectly impact security posture by disabling surveillance or monitoring capabilities. The lack of required authentication and user interaction means attackers can exploit this vulnerability remotely and autonomously, increasing the risk of widespread disruption. In sectors where video monitoring devices are integrated into broader security or operational technology (OT) systems, this vulnerability could cascade, affecting dependent systems or triggering false alarms. The absence of patches necessitates interim risk management strategies to prevent exploitation. The impact is more pronounced in environments with limited device redundancy or where rapid device recovery is challenging.

Since no patches are currently available, European organizations should implement specific mitigations to reduce risk. First, network segmentation should isolate CHOCO TEI WATCHER mini devices from critical network segments to limit exposure. Deploy strict firewall rules to restrict inbound and outbound traffic to only trusted sources and necessary protocols related to the device's operation. Continuous monitoring of device resource usage and network traffic can help detect abnormal behavior indicative of exploitation attempts. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or anomaly detection tailored to the device's communication patterns. Where possible, disable or restrict the Video Download feature if it is not essential to operations. Engage with the vendor for updates and patches, and plan for timely deployment once available. Additionally, maintain an inventory of all affected devices to prioritize risk assessment and response. Consider implementing fallback or redundant monitoring solutions to maintain operational continuity if devices become unavailable. Finally, educate operational staff about the vulnerability and signs of exploitation to enhance detection and response capabilities.