Published:2024/04/04  Last Updated:2025/02/26

JVNVU#91975826
Multiple vulnerabilities in PLANEX COMMUNICATIONS wireless LAN routers

Overview

Wireless LAN routers provided by PLANEX COMMUNICATIONS INC. contain multiple vulnerabilities.

Products Affected

  • MZK-MF300N all firmware versions
  • MZK-MF300HP2 firmware versions 1.18 and earlier

Description

Wireless LAN routers provided by PLANEX COMMUNICATIONS INC. contain multiple vulnerabilities listed below.

  • Active debug code (CWE-489)
    • CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 6.8
    • CVE-2024-30219
  • Command injection on certain port (CWE-77)
    • CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 8.8
    • CVE-2024-30220

Impact

  • If a logged-in user who knows how to use the debug function accesses the device's management page, an unintended operation may be performed (CVE-2024-30219)
  • An unauthenticated attacker may execute an arbitrary command by sending a specially crafted request to certain port (CVE-2024-30220)

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.

Stop using the product
According to the developer, MZK-MF300N is no longer supported. Stop using the product.

For more information, refer to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
PLANEX COMMUNICATIONS INC. Vulnerable 2025/02/21

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Chuya Hayakawa and Ryo Kamino of 00One, Inc. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2024-30219
CVE-2024-30220
JVN iPedia

Update History

2025/02/26
PLANEX COMMUNICATIONS INC. update status
2025/02/26
Information under the section [Title], [Overview], [Products Affected], [Description], [Solution], and [Credit] was updated