Description
An unquoted search path vulnerability exists in HDD Password tool (for Windows) version 1.20.6620 and earlier which is stored in CANVIO PREMIUM 3TB(HD-MB30TY, HD-MA30TY, HD-MB30TS, HD-MA30TS), CANVIO PREMIUM 2TB(HD-MB20TY, HD-MA20TY, HD-MB20TS, HD-MA20TS), CANVIO PREMIUM 1TB(HD-MB10TY, HD-MA10TY, HD-MB10TS, HD-MA10TS), CANVIO SLIM 1TB(HD-SB10TK, HD-SB10TS), and CANVIO SLIM 500GB(HD-SB50GK, HD-SA50GK, HD-SB50GS, HD-SA50GS), and which was downloaded before 2020 May 10. Since it registers Windows services with unquoted file paths, when a registered path contains spaces, and a malicious executable is placed on a certain path, it may be executed with the privilege of the Windows service.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://www.canvio.jp/news/20200420.htm
Third Party Advisory x_refsource_misc
https://jvn.jp/en/jp/JVN13467854/index.html
Scores
CVSS v3
8.4
EPSS
0.0034
EPSS Percentile
26.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-428
Status
published
Products (1)
toshiba/password_tool_for_windows
< 1.20.6620
Published
Apr 20, 2020
Tracked Since
Feb 18, 2026