Multiple vulnerabilities in Aterm series

Number:NV25-003
CVE:CVE-2025-0354, CVE-2025-0355, CVE-2025-0356

Overview

Aterm has multiple vulnerabilities.

- XSS vulnerability (CVE-2025-0354): If the product is accessed by a malicious attacker, arbitrary commands or scripts may be executed.
- Inadequate access restriction vulnerability (CVE-2025-0355): If the product is accessed by a malicious attacker, device information may be read.
- OS command injection vulnerability (CVE-2025-0356): If the product is accessed by a malicious attacker, arbitrary commands or scripts may be executed.

Products Affected

Aterm

Affected Version

- XSS Vulnerability (CVE-2025-0354)  
  WG2600HS: Before Ver.1.7.2  
  WG2600HP4: Before Ver.1.4.2  
  WG2600HM4: Before Ver.1.4.2  
  WG2600HS2: Before Ver.1.3.2  
  WX3000HP: Before Ver.2.4.2  
  WX4200D5: Before Ver.1.2.4  

- Improper Access Restriction Vulnerability (CVE-2025-0355)  
  WG2600HS: Before Ver.1.7.2  
  WF1200CR: Before Ver.1.6.0  
  WG1200CR: Before Ver.1.5.0  
  GB1200PE: Before Ver.1.3.0  
  WG2600HP4: Before Ver.1.4.2  
  WG2600HM4: Before Ver.1.4.2  
  WG2600HS2: Before Ver.1.3.2  
  WX3000HP: Before Ver.2.4.2  
  WX4200D5: Before Ver.1.2.4  

- OS Command Injection Vulnerability (CVE-2025-0356)  
  WX1500HP: Before Ver.1.4.2  
  WX3600HP: Before Ver.1.5.3 

Solution

References

Credit

reported by Kakeru Kajihara of NTT Security Holdings. and Takayuki Sasaki and Katsunari Yoshioka of Yokohama National University.  for NEC-PSIRT

Update

2025/01/15
First edition