OPEN BizRobo! Vulnerability Advisory: RCE via XStream Deserialization and Hardcoded Keys

### Critical Vulnerability Information #### Vulnerability Overview - **JVN ID**: JVN#30641875 - **Title**: Multiple Vulnerabilities in BizRobo! - **Release Date**: 2025/04/10 - **Update Date**: 2025/04/10 #### Affected Products - **CVE-2025-31362, CVE-2025-31932**: All versions of BizRobo! - **CVE-2013-7285**: BizRobo! v11.1 and earlier versions #### Description - **Use of Hardcoded Encryption Key (CVE-321)** - CVSSv3.0 Base Score: 3.7 - Robot files may contain credential information encrypted using the same single key. - **Deserialization of Untrusted Data in Import Function (CVE-502)** - CVSSv3.0 Base Score: 7.2 - The management console includes an outdated version of the XStream library, vulnerable to deserialization of untrusted data. - **Deserialization of Untrusted Data in Design Studio Licensing (CVE-502)** - CVSSv3.0 Base Score: 8.8 - The management console acts as a license server for Design Studio and is vulnerable to deserialization of untrusted data. #### Impact - Credentials in robot files may be extracted if the encryption key is available (CVE-2025-31362) - Arbitrary code execution on the management console (CVE-2013-7285, CVE-2025-31932) #### Solution - **CVE-2025-31362, CVE-2025-31932**: Apply workarounds provided by the developer. - **CVE-2013-7285**: Update the software or apply workarounds provided by the developer. #### Vendor Status - **Vendor**: OPEN, Inc. - **Link**: Provides Japanese documentation regarding hardcoded encryption keys, Java XStream library, and arbitrary code execution on the MC license server. #### References - JPCERT/CC Addendum - JPCERT/CC Vulnerability Analysis #### Acknowledgments - Masamu Asato reported this vulnerability to IPA.

Goal Reached Thanks to every supporter — we hit 100%!

OPEN BizRobo! Vulnerability Advisory: RCE via XStream Deserialization and Hardcoded Keys