Identifying and addressing production line stoppages is key to efficiency, minimizing downtime, and maintaining productivity. Since unplanned halts cause financial losses, supply disruptions, and quality issues understanding their cause and preventing recurrence is essential.
Nozomi Networks Labs has recently conducted security research on the Inaba Denki Sangyo Co., Ltd. IB-MCT001, a camera commonly found in Japanese production plants, which is designed to record production stoppages for subsequent analysis.
The assessment uncovered four vulnerabilities that pose serious risks, such as the remote extraction of plaintext credentials, or the possibility to bypass authentication and send direct requests to sensitive API endpoints (“forced browsing”). These flaws enable various attacks, allowing an unauthenticated attacker to remotely and secretly access live footage for surveillance, or disrupt the recording of production line stoppages preventing the capture of critical moments.
Unfortunately, the vendor was only able to provide mitigations and not patches for the identified vulnerabilities, that as such are still unaddressed at the time of the release of this article. Besides the vendor advisory, the vulnerabilities are also covered by JPCERT/CC advisory JVNVU#91154745, and CISA advisory ICSA-25-084-04.
In the following sections, we discuss the broader implications of these security findings and provide guidance on available mitigations to help organizations safeguard their industrial environments. Given that patches are not available, technical details have intentionally been omitted to prevent potential exploitation by malicious threat actors.
As part of our ongoing service to Nozomi Networks customers, our Threat Intelligence service has been enhanced with new methods to identify these flaws across devices.
Research Scope
The CHOCO TEI WATCHER mini (IB-MCT001) is a compact monitoring device developed to analyze brief production interruptions, commonly referred to as “choco tei”, in manufacturing environments. By capturing and visualizing these production stoppages, the device helps identify underlying causes and supports targeted process improvements. The device is designed for installation in confined spaces or within machinery, enabling comprehensive monitoring of various production areas. When a “stop” signal from the production line is detected, the CHOCO TEI WATCHER mini automatically starts recording before and continues after the event, providing valuable insight for root-cause analysis.
The primary interface for interacting with the CHOCO TEI WATCHER mini is the CHOCO TEI VIEWER, a browser-based application that facilitates remote device management and monitoring over a network connection. This web interface enables users to configure system, camera, and network settings without the need for specialized software. Users can view real-time video feeds, review stored footage, and download video files in Full HD resolution for detailed analysis. To ensure security, access to the viewer and configuration settings can be protected with customizable password options.
What Are the Impacts of These Vulnerabilities?
The identified vulnerabilities in the CHOCO TEI WATCHER mini introduce serious security risks that could allow an unauthenticated attacker to bypass the login process and obtain full control of the device. Potential attack scenarios include:
- Covert Surveillance of Production Lines: Since the issues allow unauthorized access to the device, an attacker could remotely and covertly monitor live camera feeds, including video and audio. This could facilitate industrial espionage, allowing competitors or malicious actors to spy on proprietary manufacturing processes and gain insights into workflow optimizations, specialized machinery usage, or product assembly techniques. Additionally, it raises privacy concerns, as employees could be unknowingly monitored. Finally, attackers could analyze security weaknesses, such as unattended machinery or shift changes, to plan further actions.
- Disruption of Stoppage Recordings: The Forced Browsing vulnerability enables an attacker to manipulate or delete recorded footage, particularly the automatically captured video triggered by production line stoppages. This could result in the loss of critical diagnostic footage, making it difficult to analyze and resolve operational inefficiencies, leading to prolonged downtime and increased costs. In industries that require stoppage recordings for quality control or regulatory compliance, missing or altered footage could result in production recalls. Additionally, a malicious insider could erase or modify footage to conceal intentional disruptions, equipment failures, or workplace incidents, without being detected.
What makes these issues particularly severe is that all these attacks can be executed remotely without requiring authentication, prior access, or user interaction. An attacker does not need valid credentials or administrative privileges—only the ability to exchange network packets with the device over a network. This means that if the CHOCO TEI WATCHER mini is exposed to the internet or accessible from an internal network, it becomes an easy target for exploitation.
Vulnerability List and Affected Versions
The following table lists the four vulnerabilities found, ordered by CVSS v3.1 base score. The vulnerabilities affect all versions of the Inaba Denki Sangyo Co., Ltd. IB-MCT001.
Remediations
As previously stated, the vendor has been unable to develop and release official patches to address the vulnerabilities found in the CHOCO TEI WATCHER mini. As a result, organizations using this device must take proactive steps to mitigate the risks associated with these security flaws.
Below are the remediations recommended by Nozomi Networks Labs to help protect existing installations:
- Since most vulnerabilities can be exploited remotely by unauthenticated attackers, organizations should restrict and monitor network access to the device’s management web application, ensuring only trusted users can connect. Placing the device on a secured, isolated network and implementing strict firewall rules will help block unauthorized access. If remote access is necessary, it should be limited to verified users via VPN and strong authentication. Enabling logging and intrusion detection can further help detect and respond to unauthorized access attempts.
- CVE-2025-24852 requires physical access to the microSD card used by the device. To mitigate the risk of physical exploitation, the device should be installed in a secure, restricted area accessible only to authorized personnel. Since the microSD card cannot be encrypted, it should be physically secured to prevent unauthorized removal or tampering. Regular inspections can help ensure that the device and its storage remain intact and uncompromised.
Asset owners seeking further guidance can refer to the following official security advisories for more details on mitigating the identified risks:
