Apache IoTDB, a system designed for managing industrial IoT time-series data, faces a series of security vulnerabilities that could expose sensitive information and allow for remote code execution.

CVE-2025-26864 and CVE-2025-26795 highlight a risk: the exposure of sensitive information. The vulnerability lies within the OpenID authentication mechanism of Apache IoTDB and its JDBC driver. This flaw could allow unauthorized access to sensitive data and the insertion of such data into log files.

Affected versions of Apache IoTDB include 0.10.0 through 1.3.3 and 2.0.1-beta before 2.0.2. Similarly, the Apache IoTDB JDBC driver versions 0.10.0 through 1.3.3 and 2.0.1-beta before 2.0.2 are also vulnerable.

CVE-2024-24780 poses a significant threat of Remote Code Execution. This vulnerability exists due to the way Apache IoTDB handles untrusted URIs in user-defined functions (UDFs). An attacker with the privilege to create UDFs can register a malicious function from an untrusted source, leading to remote code execution.

This vulnerability affects Apache IoTDB versions 1.0.0 before 1.3.4.

Users of Apache IoTDB are strongly advised to take immediate action to mitigate these risks. Upgrading to version 1.3.4 and 2.0.2 is crucial, as these versions include fixes for the identified vulnerabilities. By applying these updates, organizations can protect their IoT data and systems from potential attacks.

Related Posts:

• IoT Botnet Fuels Large-Scale DDoS Attacks Targeting Global Organizations
• Report: 120,000 computers were infected with information-stealing malware
• Google Announces Android IoT Device Special Edition – “Android Things”