Number: NV25-005
CVE: CVE-2025-11546

Overview

EXPRESSCLUSTER X contains an OS command injection vulnerability (CVE-2025-11546). If an attacker sends specially crafted network packets to the product, arbitrary OS commands may be executed without authentication.

Products Affected

EXPRESSCLUSTER X

Affected Version

EXPRESSCLUSTER X 4.0 for Linux
EXPRESSCLUSTER X 4.1 for Linux
EXPRESSCLUSTER X 4.2 for Linux
EXPRESSCLUSTER X 4.3 for Linux
EXPRESSCLUSTER X 5.0 for Linux
EXPRESSCLUSTER X 5.1 for Linux
EXPRESSCLUSTER X 5.2 for Linux

EXPRESSCLUSTER X 4.0 SingleServerSafe for Linux
EXPRESSCLUSTER X 4.1 SingleServerSafe for Linux
EXPRESSCLUSTER X 4.2 SingleServerSafe for Linux
EXPRESSCLUSTER X 4.3 SingleServerSafe for Linux
EXPRESSCLUSTER X 5.0 SingleServerSafe for Linux
EXPRESSCLUSTER X 5.1 SingleServerSafe for Linux
EXPRESSCLUSTER X 5.2 SingleServerSafe for Linux

Solution

■Please refer the folloing web pages and apply the patch.
- EXPRESSCLUSTER X 4.0 for Linux to EXPRESSCLUSTER X 4.3 for Linux
  Please update to EXPRESSCLUSTER X 4.3 for Linux (internal version 4.3.4-1) and apply the patch module.
  - [EXPRESSCLUSTER X 4.0/4.1/4.2/4.3 for Linux Update CPRO-XL070-12E] (https://www.support.nec.co.jp/en/View.aspx?NoClear=on&id=9510100433)
  - [EXPRESSCLUSTER X 4.3 for Linux Additional Update] (https://www.support.nec.co.jp/en/View.aspx?NoClear=on&id=4140100135)

- EXPRESSCLUSTER X 5.0 for Linux to EXPRESSCLUSTER X 5.2 for Linux
  Please update to EXPRESSCLUSTER X 5.3 for Linux (internal version 5.3.0-1) or later.
  - [EXPRESSCLUSTER X 5.3 for Linux Update Release CPRO-XL080-10E (Internal Version 5.3.1-1)] (https://www.support.nec.co.jp/en/View.aspx?NoClear=on&id=9510100528)

- EXPRESSCLUSTER X SingleServerSafe 4.0 for Linux to EXPRESSCLUSTER X SingleServerSafe 4.3 for Linux
  Update to EXPRESSCLUSTER X 4.3 for Linux (internal version 4.3.4-1) and apply the correction module.
  - [EXPRESSCLUSTER X SingleServerSafe 4.0/4.1/4.2/4.3 for Linux Update CPRO-XL440-12E] (https://www.support.nec.co.jp/en/View.aspx?NoClear=on&id=9510100434)
  - [EXPRESSCLUSTER X SingleServerSafe 4.3 for Linux Additional Update] (https://www.support.nec.co.jp/en/View.aspx?NoClear=on&id=4140100136)

- EXPRESSCLUSTER X SingleServerSafe 5.0 for Linux to EXPRESSCLUSTER X SingleServerSafe 5.2 for Linux
  Please update to EXPRESSCLUSTER X SingleServerSafe 5.3 for Linux (internal version 5.3.0-1) or later.
  - [EXPRESSCLUSTER X SingleServerSafe 5.3 for Linux Update Release CPRO-XL450-10E (Internal Version 5.3.1-1)] (https://www.support.nec.co.jp/en/View.aspx?NoClear=on&id=9510100529)

■Apply a Workaround
Enable the firewall and block unnecessary communication as follows:
  - Allow connection requests only from hosts belonging to the cluster for the following ports.
    - Data transfer (default: 29002)

References

CVE-2025-11546
https://www.cve.org/CVERecord?id=CVE-2025-11546

Update