CVE-2025-20620
Description
SQL Injection vulnerability exists in STEALTHONE D220/D340 provided by Y'S corporation. An attacker who can access the affected product may obtain the administrative password of the web management page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in STEALTHONE D220/D340 allows unauthenticated attackers to retrieve the administrative password of the web management page.
Vulnerability
Overview CVE-2025-20620 is a SQL injection vulnerability (CWE-89) in the web management interface of Y'S corporation STEALTHONE D220 and D340 network storage servers. The flaw stems from insufficient sanitization of user-supplied input, allowing an attacker to inject arbitrary SQL commands [1].
Exploitation
The vulnerability is exploitable over the network without requiring authentication (CVSS v3.1 base score 7.5, vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). An attacker who can reach the affected device's web management page can send specially crafted requests to perform SQL injection [1].
Impact
Successful exploitation enables the attacker to retrieve the administrative password of the web management interface. This compromises the confidentiality of the device's credentials and could lead to further unauthorized access and control [1].
Mitigation
Y'S corporation has released firmware updates to address this vulnerability. Users should update STEALTHONE D220 to firmware version later than v6.03.02 and D340 to version later than v6.03.02 as recommended by the vendor [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.