{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21411", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-01-05T02:44:14.797Z", "datePublished": "2026-01-06T06:34:11.329Z", "dateUpdated": "2026-01-06T14:49:01.813Z"}, "containers": {"cna": {"affected": [{"vendor": "Plat'Home Co.,Ltd.", "product": "OpenBlocks IoT DX1 (FW5.0.x)", "versions": [{"version": "all versions prior to FW5.0.8", "status": "affected"}]}, {"vendor": "Plat'Home Co.,Ltd.", "product": "OpenBlocks IoT EX/BX models (FW5.0.x)", "versions": [{"version": "all versions prior to FW5.0.8", "status": "affected"}]}, {"vendor": "Plat'Home Co.,Ltd.", "product": "OpenBlocks IX9 models with FW (FW5.0.x)", "versions": [{"version": "all versions prior to FW5.0.8", "status": "affected"}]}, {"vendor": "Plat'Home Co.,Ltd.", "product": "OpenBlocks IoT VX2 (FW5.0.x)", "versions": [{"version": "all versions prior to FW5.0.8", "status": "affected"}]}, {"vendor": "Plat'Home Co.,Ltd.", "product": "OpenBlocks IDM RX1 (FW5.0.x)", "versions": [{"version": "all versions prior to FW5.0.8", "status": "affected"}]}, {"vendor": "Plat'Home Co.,Ltd.", "product": "OpenBlocks IoT FX1 (FW5.0.x)", "versions": [{"version": "all versions prior to FW5.0.8", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "Authentication bypass issue exists in OpenBlocks series versions prior to FW5.0.8, which may allow an attacker to bypass administrator authentication and change the password."}], "problemTypes": [{"descriptions": [{"description": "Authentication Bypass Using an Alternate Path or Channel", "lang": "en-US", "cweId": "CWE-288", "type": "CWE"}]}], "references": [{"url": "https://www.plathome.co.jp/support/software/fw5/dx1-v5-0-8/"}, {"url": "https://jvn.jp/en/vu/JVNVU97172240/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-01-06T06:34:11.329Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T14:47:57.055920Z", "id": "CVE-2026-21411", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T14:49:01.813Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21411", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-06T14:47:57.055920Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T14:48:03.722Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Plat'Home Co.,Ltd.", "product": "OpenBlocks IoT DX1 (FW5.0.x)", "versions": [{"status": "affected", "version": "all versions prior to FW5.0.8"}]}, {"vendor": "Plat'Home Co.,Ltd.", "product": "OpenBlocks IoT EX/BX models (FW5.0.x)", "versions": [{"status": "affected", "version": "all versions prior to FW5.0.8"}]}, {"vendor": "Plat'Home Co.,Ltd.", "product": "OpenBlocks IX9 models with FW (FW5.0.x)", "versions": [{"status": "affected", "version": "all versions prior to FW5.0.8"}]}, {"vendor": "Plat'Home Co.,Ltd.", "product": "OpenBlocks IoT VX2 (FW5.0.x)", "versions": [{"status": "affected", "version": "all versions prior to FW5.0.8"}]}, {"vendor": "Plat'Home Co.,Ltd.", "product": "OpenBlocks IDM RX1 (FW5.0.x)", "versions": [{"status": "affected", "version": "all versions prior to FW5.0.8"}]}, {"vendor": "Plat'Home Co.,Ltd.", "product": "OpenBlocks IoT FX1 (FW5.0.x)", "versions": [{"status": "affected", "version": "all versions prior to FW5.0.8"}]}], "references": [{"url": "https://www.plathome.co.jp/support/software/fw5/dx1-v5-0-8/"}, {"url": "https://jvn.jp/en/vu/JVNVU97172240/"}], "descriptions": [{"lang": "en", "value": "Authentication bypass issue exists in OpenBlocks series versions prior to FW5.0.8, which may allow an attacker to bypass administrator authentication and change the password."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-288", "description": "Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-01-06T06:34:11.329Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21411", "state": "PUBLISHED", "dateUpdated": "2026-01-06T14:49:01.813Z", "dateReserved": "2026-01-05T02:44:14.797Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2026-01-06T06:34:11.329Z", "assignerShortName": "jpcert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication bypass issue exists in OpenBlocks series versions prior to FW5.0.8, which may allow an attacker to bypass administrator authentication and change the password."}, {"lang": "es", "value": "Existe un problema de omisi\u00f3n de autenticaci\u00f3n en las versiones de la serie OpenBlocks anteriores a FW5.0.8, lo que podr\u00eda permitir a un atacante omitir la autenticaci\u00f3n de administrador y cambiar la contrase\u00f1a."}], "id": "CVE-2026-21411", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-01-06T07:15:43.870", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/vu/JVNVU97172240/"}, {"source": "vultures@jpcert.or.jp", "url": "https://www.plathome.co.jp/support/software/fw5/dx1-v5-0-8/"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T20:00:54.999427+00:00", "value": {"mitigation_remediation": ["Upgrade the device firmware to version 5.0.8 or newer, following vendor release notes and guidance", "Reboot the device after the firmware upgrade to ensure the new firmware is active and the authentication bypass is removed", "If an update is not yet possible, limit network access to the device\u2019s management interface and enforce strong authentication to reduce potential credential takeover"], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Affected devices are Plat'Home Devices in the OpenBlocks series: IDM RX1, IX9, IoT DX1, IoT EX/BX, IoT FX1, and IoT VX2. All devices running firmware 5.0.x prior to version 5.0.8 are impacted. No other versions or vendors are listed as affected.", "description_and_impact": "The vulnerability is an authentication bypass that allows an attacker to change the administrator password without providing valid credentials. This flaw is a classic authentication bypass issue (CWE-288) and could enable an attacker to gain privileged control over the affected devices. The capability to alter the password means the attacker can later log in as an administrator, potentially compromising device configuration and data.", "risk_and_exploitability": "The CVSS score of 8.7 reflects a high severity level. The EPSS score is below 1%, indicating a low probability of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalog. Based on the nature of the flaw and provided documentation, a likely attack vector involves accessing the device\u2019s management interface over the network or locally; however, the exact attack path is not detailed in the description and is therefore inferred."}}}}, "created": "2026-04-18T20:15:09.555494+00:00", "title": "Authentication Bypass Allowing Administrator Password Modification", "updated": "2026-04-18T20:15:09.555508+00:00", "vendors": []}