jvndb-2025-000002
Vulnerability from jvndb
Published
2025-02-14 15:48
Modified
2025-02-14 15:48
Severity ?
7.5 (High) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Multiple vulnerabilities in NEC Aterm series (NV25-003)
Details
Aterm series provided by NEC Corporation contains multiple vulnerabilities listed below. <ul> <li>Stored Cross-site Scripting (CWE-79) - CVE-2025-0354</li> <li>Missing Authentication for Critical Function (CWE-306) - CVE-2025-0355</li> <li>OOS Command Injection (CWE-78) - CVE-2025-0356</li> </ul> CVE-2025-0354, CVE-2025-0355 Takayuki Sasaki and Katsunari Yoshioka of Yokohama National University reported these vulnerabilities to JPCERT/CC. JPCERT/CC coordinated with the developer. CVE-2025-0356 Kakeru Kajihara of NTT Security Holdings reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer.
References
JVN https://jvn.jp/en/jp/JVN65447879/index.html
CVE https://www.cve.org/CVERecord?id=CVE-2025-0354
CVE https://www.cve.org/CVERecord?id=CVE-2025-0355
CVE https://www.cve.org/CVERecord?id=CVE-2025-0356
OS Command Injection(CWE-78) https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
Cross-site Scripting(CWE-79) https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
No Mapping(CWE-Other) https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
Impacted products
NEC CorporationAterm GB1200PE firmware
NEC CorporationAterm WF1200CR firmware
NEC CorporationAterm WG1200CR firmware
NEC CorporationAterm WG2600HM4 firmware
NEC CorporationAterm WG2600HP4 firmware
NEC CorporationAterm WG2600HS2 firmware
NEC CorporationAterm WG2600HS firmware
NEC CorporationAterm WX1500HP firmware
NEC CorporationAterm WX3000HP firmware
NEC CorporationAterm WX3000HP firmware
NEC CorporationAterm WX3600HP firmware
NEC CorporationAterm WX4200D5 firmware
Show details on JVN DB website

To clipboard 

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000002.html",
  "dc:date": "2025-02-14T15:48+09:00",
  "dcterms:issued": "2025-02-14T15:48+09:00",
  "dcterms:modified": "2025-02-14T15:48+09:00",
  "description": "Aterm series provided by NEC Corporation contains multiple vulnerabilities listed below.\r\n\r\n\u003cul\u003e\r\n\u003cli\u003eStored Cross-site Scripting (CWE-79) - CVE-2025-0354\u003c/li\u003e\r\n\u003cli\u003eMissing Authentication for Critical Function (CWE-306) - CVE-2025-0355\u003c/li\u003e\r\n\u003cli\u003eOOS Command Injection (CWE-78) - CVE-2025-0356\u003c/li\u003e\r\n\u003c/ul\u003e\r\n\r\nCVE-2025-0354, CVE-2025-0355\r\nTakayuki Sasaki and Katsunari Yoshioka of Yokohama National University reported these vulnerabilities to JPCERT/CC.\r\nJPCERT/CC coordinated with the developer.\r\n\r\nCVE-2025-0356\r\nKakeru Kajihara of NTT Security Holdings reported this vulnerability to JPCERT/CC.\r\nJPCERT/CC coordinated with the developer.",
  "link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000002.html",
  "sec:cpe": [
    {
      "#text": "cpe:/o:nec:aterm_gb1200pe_firmware",
      "@product": "Aterm GB1200PE firmware",
      "@vendor": "NEC Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:nec:aterm_wf1200cr_firmware",
      "@product": "Aterm WF1200CR firmware",
      "@vendor": "NEC Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:nec:aterm_wg1200cr_firmware",
      "@product": "Aterm WG1200CR firmware",
      "@vendor": "NEC Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:nec:aterm_wg2600hm4_firmware",
      "@product": "Aterm WG2600HM4 firmware",
      "@vendor": "NEC Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:nec:aterm_wg2600hp4_firmware",
      "@product": "Aterm WG2600HP4 firmware",
      "@vendor": "NEC Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:nec:aterm_wg2600hs2_firmware",
      "@product": "Aterm WG2600HS2 firmware",
      "@vendor": "NEC Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:nec:aterm_wg2600hs_firmware",
      "@product": "Aterm WG2600HS firmware",
      "@vendor": "NEC Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:nec:aterm_wx1500hp_firmware",
      "@product": "Aterm WX1500HP firmware",
      "@vendor": "NEC Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:nec:aterm_wx3000hp_firmware",
      "@product": "Aterm WX3000HP firmware",
      "@vendor": "NEC Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:nec:aterm_wx3000hp_firmware",
      "@product": "Aterm WX3000HP firmware",
      "@vendor": "NEC Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:nec:aterm_wx3600hp_firmware",
      "@product": "Aterm WX3600HP firmware",
      "@vendor": "NEC Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:nec:aterm_wx4200d5_firmware",
      "@product": "Aterm WX4200D5 firmware",
      "@vendor": "NEC Corporation",
      "@version": "2.2"
    }
  ],
  "sec:cvss": {
    "@score": "7.5",
    "@severity": "High",
    "@type": "Base",
    "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
    "@version": "3.0"
  },
  "sec:identifier": "JVNDB-2025-000002",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN65447879/index.html",
      "@id": "JVN#65447879",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2025-0354",
      "@id": "CVE-2025-0354",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2025-0355",
      "@id": "CVE-2025-0355",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2025-0356",
      "@id": "CVE-2025-0356",
      "@source": "CVE"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-78",
      "@title": "OS Command Injection(CWE-78)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-79",
      "@title": "Cross-site Scripting(CWE-79)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-Other",
      "@title": "No Mapping(CWE-Other)"
    }
  ],
  "title": "Multiple vulnerabilities in NEC Aterm series (NV25-003)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.